Industry Groups Butt Heads on SEC’s Incident Reporting Rules

Members of corporate boards and groups lobbying on behalf of the companies they govern are on opposite sides of a debate over the Securities and Exchange Commission’s proposal to require that publicly traded companies regularly disclose any cybersecurity incidents they experience, along with how they’re managing such risks.

“The SEC’s actions in the past year, paired with recently released rules, draw a line under the critical role of management and boards in protecting not just investors and customers, but also the sound functioning of American business,” said Friso van der Oord, senior vice president of content at the National Association of Corporate Directors. “Preparing effective disclosure of material cyber risks and incidents has long been a key principle of cyber risk oversight advocated by NACD.”

NACD on Thursday joined the continuous monitoring firm Security Scorecard and the Cyber Threat Alliance—a nonprofit threat-intelligence sharing organization led by former national cybersecurity advisor and coordinator Michael Daniel—in releasing a report on the issue. It concludes, “the proposed rules, if enacted as currently drafted, would strengthen the ability of public companies, funds and advisors to combat cybersecurity threats and implement risk mitigation processes.”

Their collective support for the proposed rules stands in stark contrast to recent pushback from executives at the U.S. Chamber of Commerce and the Securities Industry and Financial Markets Association, which describes itself as “the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets.” 

The Chamber, SIFMA and others opposing the SEC’s proposal—including a leading trade association for the biggest tech companies—are pointing to pending implementation of a new incident reporting law—the Cyber Incident Reporting for Critical Infrastructure Act of 2022—at the Cybersecurity and Infrastructure Security Agency. 

“While we appreciate the intent behind the SEC’s proposed rulemaking is to improve public companies’ cybersecurity postures and disclose material cybersecurity incident information to investors, we are concerned that the rulemaking is potentially duplicative of the incident reporting requirements in recently passed legislation,” John Miller, senior vice president and general counsel for the Information Technology Industry Council, told Nextgov. 

In comments on the proposed rules, SIFMA cited the new law in telling the SEC it should reconsider issuing incident reporting rules as they wouldn’t “respect the intent of Congress.” 

“While we support the policy goals behind the proposed reporting, disclosure and cyber hygiene requirements, we have concerns about … its deviation from current Congressional efforts to centralize cyber-related communication channels,” the group wrote. “We respectfully implore the Commission to reconsider finalizing its proposed cybersecurity regulations and particularly refrain from promulgating cyber rules until CIRCIA and related regulations from CISA come into effect.”

An aide for the lawmaker who took CIRCIA past the finish line in Congress—Sen. Gary Peters, D-Mich.—said the law was actually designed to protect the authority of sector-specific regulators.

“There is nothing in the bill that overrides any existing regulations or any other agency’s authority to require their own reporting or regulate if a company is breached,” the Peters aide told Nextgov. “To the degree CISA harmonizes requirements between this new law and existing regulations, that is the entire purpose of going through the federal rulemaking process. The process requires input from other agencies, input from the companies that will be regulated and a public comment period to ensure that the rule preserves existing regulatory authorities.”

But observers have a hard time seeing how those goals of the legislation will be reconciled in what they expect to be a protracted rulemaking process at CISA.

One crucial detail surrounding the different incident reporting regimes regards their enforcement mechanisms. While Sen. Mark Warner, D-Va., ultimately supported passage of CIRCIA, he bemoaned the removal of fines in an initial proposal he made, saying the provisions had become “toothless.”

The cybersecurity company Rapid 7 also noted that the penalty for a company being discovered as failing to report a qualifying incident under the law—potentially being found in contempt of court—would not be particularly motivating for companies to improve their cybersecurity. 

In contrast, the report released in support of the SEC’s rules Thursday highlighted recent enforcement actions at the SEC and the agency’s related powers. Specifically, the regulator can make “administrative orders,” which, according to analysis from Bloomberg Law, can result in “cease and desist orders, suspension or revocation of broker-dealer and investment advisor registrations, censures, bars from association with the securities industry or from appearing or practicing as an attorney or an accountant before the Commission, civil monetary penalties, and disgorgement.”

In addition to new incident reporting rules, the SEC is proposing a rule for public companies which echoes the sentiment of bipartisan legislation calling for registered issuers of securities to disclose whether any member of its governing body has expertise in cybersecurity.

“The [proposed rule for public companies] would also … require disclosures regarding board oversight of a company’s cybersecurity risk, and the implementation of related policies,” the proponents’ report said. “This would include a description of whether specific management positions at the company are responsible for measuring cybersecurity risk, as well as the expertise of the individuals in such positions.”

SIFMA also opposed such rules, saying, “while we recognize the importance of firms maintaining robust governance structures and comprehensive compliance programs with a reporting line to escalate cyber issues to senior management and the board (or board committee), we believe the requirement that boards approve policies and procedures and exercise formal oversight is too prescriptive and crosses into the realm of management.”