Rep. Jim Langevin was responding to an industry assertion that the SEC proposal undercuts the will of Congress, given recently enacted legislation.
Rules the Securities and Exchange Commission have proposed that would require public companies to disclose their cyber incidents are needed and are not in conflict with a new law—which offers protections from liability for reporting such incidents to the Cybersecurity and Infrastructure Security Agency—according to Rep. Jim Langevin, D-R.I.
Langevin participated in an event the U.S. Chamber of Commerce hosted on the issue Wednesday. In a conversation with the congressman, Christopher Roberti, the Chamber’s senior vice president for cyber, intelligence and supply chain security policy, took issue with the SEC proposal, asserting it runs counter to the spirit of the new incident reporting law, which Langevin and other leaders of cyber policy have largely supported.
The law generally aims to incentivize companies to report cyber incidents to CISA by promising the reports won’t be made public through processes such as the Freedom of Information Act and can’t be used for regulatory enforcement by other agencies or as evidence for suing the companies. Anonymizing the information, CISA would then ostensibly be able to prevent cascading consequences by distilling data on threats and disseminating mitigations to the broader ecosystem of critical infrastructure.
The proposal from the SEC, a regulatory enforcement agency, would require companies to report their cyber incidents in publicly accessible 8K filings, in addition to measures they’ve proactively taken to secure their systems from cyberattacks.
“When we look at the law and the will of Congress versus the SEC proposed rule, it seems to us that Congress has spoken and used things like confidentiality and liability protection as a means to foster a virtuous circle of reporting and action,” Roberti said. “To us, it would seem like the Securities and Exchange Commission’s proposed rule ... could upend that intent of Congress.”
Lawmakers on both sides of the aisle have been touting passage of the law as an urgently needed measure in response to the threat posed by Russia, in the wake of sanctions following the Kremlin’s invasion of Ukraine. But the incident reporting provisions will only become effective after the conclusion of a rulemaking process at CISA that could drag on for years. The end of the rulemaking process will also trigger the establishment of an interagency council that will then be tasked with “harmonizing” the reporting requirements of CISA and various agencies.
“I do think we can balance those sensitivities with a need to help shareholders better understand cyber risks,” Langevin said. “Post breach disclosure cost is a really important part of that risk communication … shareholders really should be able to [distinguish] between companies that take cybersecurity seriously, and those who don't. That's really part of the goal also.”