As the implementation date for the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule approaches, lawmakers are divided on its efficacy and potential burden on cybersecurity professionals. In an attempt to derail the rule, a joint resolution has been filed in Congress arguing that it conflicts with existing regulations and overburdens cybersecurity teams. However, the resolution is controversial, with experts offering differing opinions on its potential impact.
Some lawmakers, like Rep. Andrew Garbarino and Sen. Thom Tillis, argue that the SEC’s disclosure rule duplicates existing regulations, citing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) as already providing appropriate requirements for cyber incident reporting. They believe that the SEC’s rule increases the burden on an already understaffed cybersecurity workforce and poses unnecessary cybersecurity risks.
On the other hand, proponents of the SEC’s rule emphasize the importance of transparency for investors. The disclosure requirements aim to standardize breach reporting and keep shareholders informed about major cyber incidents. SEC Chair Gary Gensler asserts that material cybersecurity information is vital for investors and companies alike.
One concern raised by cybersecurity experts is the potential double burden on cybersecurity teams due to the requirements of both CIRCIA and the SEC rule. While CIRCIA mandates reporting significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, the SEC’s rule adds the requirement to disclose material cyber incidents to the SEC within four business days. This raises questions about potential conflicts and confusion for organizations trying to navigate both regulations.
Additionally, the recent complaint filed by a criminal group accusing a company of failing to disclose a breach has highlighted how threat actors may weaponize the disclosure rule. Cybersecurity professionals worry that bad actors could exploit the public nature of the disclosures for their advantage.
Amidst this debate, the proposed joint resolution to void the SEC rule faces uncertainty. GovTrack.us predicts it has an 8% chance of being enacted. Its fate will ultimately depend on further discussions and evaluations by lawmakers.
FAQ
What is the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule?
The “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” rule is a regulation introduced by the Security and Exchange Commission (SEC) to standardize breach reporting and increase transparency for investors. It requires breached companies to report cyberattacks within four days of the incident.
What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)?
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is a law that mandates organizations in certain critical infrastructure sectors to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
What are the concerns about the SEC disclosure rule?
One concern is that the SEC’s disclosure rule duplicates existing regulations, potentially overburdening cybersecurity professionals. There are also worries about threat actors using the public nature of the disclosures to their advantage. Additionally, some experts argue that the rule may create confusion due to potential conflicts with CIRCIA.
What is the likelihood of the proposed joint resolution to void the SEC rule being enacted?
According to GovTrack.us, the joint resolution has an 8% chance of being enacted. Its fate will depend on further discussions and evaluations by lawmakers.