Industry Groups Butt Heads on SEC’s Incident Reporting Rules

SAUL LOEB/AFP via Getty Images

A major trade association for relevant financial-sector entities is asking the regulatory agency to hold off in favor of incident reporting rules being implemented at the non-regulatory Cybersecurity and Infrastructure Security Agency.

Members of corporate boards and groups lobbying on behalf of the companies they govern are on opposite sides of a debate over the Securities and Exchange Commission’s proposal to require that publicly traded companies regularly disclose any cybersecurity incidents they experience, along with how they’re managing such risks.

“The SEC’s actions in the past year, paired with recently released rules, draw a line under the critical role of management and boards in protecting not just investors and customers, but also the sound functioning of American business,” said Friso van der Oord, senior vice president of content at the National Association of Corporate Directors. “Preparing effective disclosure of material cyber risks and incidents has long been a key principle of cyber risk oversight advocated by NACD.”

NACD on Thursday joined the continuous monitoring firm Security Scorecard and the Cyber Threat Alliance—a nonprofit threat-intelligence sharing organization led by former national cybersecurity advisor and coordinator Michael Daniel—in releasing a report on the issue. It concludes, “the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds and advisors to combat cybersecurity threats and implement risk mitigation processes.”

Their collective support for the proposed rules stands in stark contrast to recent pushback from executives at the U.S. Chamber of Commerce and the Securities Industry and Financial Markets Association, which describes itself as “the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets.” 

The Chamber, SIFMA and others opposing the SEC’s proposal—including a leading trade association for the biggest tech companies—are pointing to pending implementation of a new incident reporting law—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—at the Cybersecurity and Infrastructure Security Agency. 

“While we appreciate the intent behind the SEC’s proposed rulemaking is to improve public companies’ cybersecurity postures and disclose material cybersecurity incident information to investors, we are concerned that the rulemaking is potentially duplicative of the incident reporting requirements in recently passed legislation,” John Miller, senior vice president and general counsel for the Information Technology Industry Council, told Nextgov

In comments on the proposed rules, SIFMA cited the new law in telling the SEC it should reconsider issuing incident reporting rules as they wouldn’t “respect the intent of Congress.” 

“While we support the policy goals behind the proposed reporting, disclosure and cyber hygiene requirements, we have concerns about … its deviation from current Congressional efforts to centralize cyber-related communication channels,” the group wrote. “We respectfully implore the Commission to reconsider finalizing its proposed cybersecurity regulations and particularly refrain from promulgating cyber rules until CIRCIA and related regulations from CISA come into effect.”

An aide for the lawmaker who took CIRCIA past the finish line in Congress—Sen. Gary Peters, D-Mich.—said the law was actually designed to protect the authority of sector-specific regulators.

“There is nothing in the bill that overrides any existing regulations or any other agency’s authority to require their own reporting or regulate if a company is breached,” the Peters aide told Nextgov. “To the degree CISA harmonizes requirements between this new law and existing regulations, that is the entire purpose of going through the federal rulemaking process. The process requires input from other agencies, input from the companies that will be regulated and a public comment period to ensure that the rule preserves existing regulatory authorities.”

But observers have a hard time seeing how those goals of the legislation will be reconciled in what they expect to be a protracted rulemaking process at CISA.

One crucial detail surrounding the different incident reporting regimes regards their enforcement mechanisms. While Sen. Mark Warner, D-Va., ultimately supported passage of CIRCIA, he bemoaned the removal of fines in an initial proposal he made, saying the provisions had become “toothless.”

The cybersecurity company Rapid 7 also noted that the penalty for a company being discovered as failing to report a qualifying incident under the law—potentially being found in contempt of court—would not be particularly motivating for companies to improve their cybersecurity

In contrast, the report released in support of the SEC’s rules Thursday highlighted recent enforcement actions at the SEC and the agency’s related powers. Specifically, the regulator can make “administrative orders,” which, according to analysis from Bloomberg Law, can result in “cease and desist orders, suspension or revocation of broker-dealer and investment advisor registrations, censures, bars from association with the securities industry or from appearing or practicing as an attorney or an accountant before the Commission, civil monetary penalties, and disgorgement.”

In addition to new incident reporting rules, the SEC is proposing a rule for public companies which echoes the sentiment of bipartisan legislation calling for registered issuers of securities to disclose whether any member of its governing body has expertise in cybersecurity.

“The [proposed rule for public companies] would also … require disclosures regarding board oversight of a company’s cybersecurity risk, and the implementation of related policies,” the proponents’ report said. “This would include a description of whether specific management positions at the company are responsible for measuring cybersecurity risk, as well as the expertise of the individuals in such positions.”

SIFMA also opposed such rules, saying, “while we recognize the importance of firms maintaining robust governance structures and comprehensive compliance programs with a reporting line to escalate cyber issues to senior management and the board (or board committee), we believe the requirement that boards approve policies and procedures and exercise formal oversight is too prescriptive and crosses into the realm of management.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.