Biden to veto any efforts to shutter SEC cyber disclosure rules

Omar Marques/SOPA Images/LightRocket via Getty Images

The SEC argues the disclosure rule forces firms to be more transparent with investors. Opponents say it may compromise sensitive business data and publicize vulnerabilities.

The White House on Wednesday affirmed its commitment to a Securities and Exchange Commission rule that would require publicly traded firms to disclose cybersecurity incidents, declaring that President Joe Biden will veto any legislative efforts to shutter the agency regulation.

“Reversing the SEC’s rulemaking would not only disadvantage investors who deserve to have a clear understanding of the cyber risk underlying their investment but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security,” the Office of Management and Budget said in a statement referring to a November resolution led by Sen. Tom Thillis, R-N.C. that would nullify the rules. 

House lawmakers led by the chamber’s Homeland Security cyber subcommittee chair Rep. Andrew Garbarino, R-N.Y. are also backing a companion measure. Garbarino, a major backer of the Cybersecurity and Infrastructure Security Agency, has argued CISA would be best suited to deal with publicly traded cyber incident disclosures and that the SEC rule forces firms to reveal sensitive information about their businesses and potentially publicize their cyber vulnerabilities.

The SEC approved the rule in July, with the intent of bringing more transparency to investors about how cybersecurity incidents impact companies’ bottom lines by forcing them to report breaches within four days.

The disclosure rule requirements have forced firms to make headlines, with high profile companies including Microsoft and Hewlett Packard coming forward through SEC 8-K filings to reveal that a Russia-linked hacking group compromised their systems.

The SEC’s X — formerly Twitter — account was itself compromised in a SIM swapping hack on Jan. 9, when a hacker noticed that the account did not have multi-factor authentication set up to verify user logins.

“Ransomware attacks are up 45 percent year over year. The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries,” the White House said. “Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management.”