Lawmakers want the SEC to expand cyber regs

Sen. Angus King is part of a group of lawmakers pressing the SEC to tighten cybersecurity requirements for publicly traded companies.

Sen. Angus King is part of a group of lawmakers pressing the SEC to tighten cybersecurity requirements for publicly traded companies. Tom Williams/CQ-Roll Call, Inc via Getty Images

As the Securities and Exchange Commission rolls out a series of expanded cybersecurity proposals, a group of bipartisan senators are calling for updates to mandatory reporting requirements for public companies.

A bipartisan group of senators are urging the Securities and Exchange Commission to expand cybersecurity incident reporting requirements for public companies amid a renewed effort to pass national data breach legislation. 

The lawmakers are calling on SEC Chairman Gary Gensler to propose regulations similar to those featured in the Cybersecurity Disclosure Act they sponsored last year, which requires firms to disclose to investors whether a cybersecurity expert is on their board of directors. 

The Feb. 8 letter was signed by Sens. Jack Reed (D-R.I.) Angus King (I-Maine), Susan Collins (R-Maine), Mark Warner (D-Va.), Kevin Cramer (R-N.D.), Catherine Cortez Masto (D-Nev.) and Ron Wyden (D-Ore). 

Sen. King's office told FCW the push for cyber incident reporting requirements was spurred when the Cyberspace Solarium Commission determined reporting requirements would "dramatically improve America's real-time awareness of the threat landscape." 

"Without a clear view of the challenges the nation faces in both the public and private sector, we lack the full information to protect our networks," said Mark Felling, communications director for Sen. King. "There are challenges that need to be accommodated, but the national security imperative is clear."

In January, Gensler asked SEC staff to compile recommendations around incident reporting requirements for public companies, and added that he was exploring ways to update the commission's cyber policies. Just days later, the SEC proposed a rule to extend regulations governing technology infrastructure to bond trading platforms with significant volume. 

The lawmakers' letter also noted that public companies still choose how to respond to cyber incidents and data breaches under the Cybersecurity Disclosure Act, which doesn't mandate specific responses to cyber incidents but rather encourages public companies and investment managers to "pay attention to threats before they are realized."

"The bill does not tell companies how to deal with cybersecurity threats," the letter said. "The goal is to encourage directors to play a more effective role in cybersecurity risk oversight."

The letter also recommends the SEC works with National Cyber Director Chris Inglis' office to create the proposed regulations. 

The SEC has signaled its interest in imposing stricter cybersecurity regulations in recent months, and a willingness to increase mandatory reporting requirements across different parts of the financial services landscape. This week, the commission proposed rules that would require registered investment advisers to report significant cybersecurity incidents to the commission on a new confidential form. 

Gensler said in a press release that the proposed rules "are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks."