House cyber chairman tries again to undo SEC cyber disclosure rules

Rep. Andrew Garbarino, R-N.Y., talks on his phone on the House steps after a vote in the Capitol on Friday, September 29, 2023.

Rep. Andrew Garbarino, R-N.Y., talks on his phone on the House steps after a vote in the Capitol on Friday, September 29, 2023. Bill Clark/CQ-Roll Call, Inc via Getty Images

Rep. Andrew Garbarino, a New York Republican, said he plans to get the measure into a House Financial Services markup.

A leading cyber-focused lawmaker will once again attempt to loosen regulations on publicly traded companies that currently require them to openly disclose cybersecurity incidents to the Securities and Exchange Commission.

Rep. Andrew Garbarino, R-N.Y., who leads the House Homeland Security Committee’s cybersecurity panel, is working to get a measure that would dissolve the rule into a roster of Congressional Review Act resolutions being considered in a House Financial Services Committee markup session later this month, he told Nextgov/FCW.

The CRA allows Congress to reverse federal agency actions, and requires lawmakers to move those measures to their chambers’ floors for votes before being sent to the White House for signing. CRA resolutions have previously been advanced by the GOP-led House finance panel in an attempt to reverse Biden-era financial industry regulations.

Garbarino, who’s also a member of House Financial Services, has argued that the Cybersecurity and Infrastructure Security Agency would be best suited to deal with such cyber incident disclosures. He believes the current SEC mandate forces firms to reveal sensitive information about their businesses and publicize their vulnerabilities, which could draw unwanted attention from other hackers.

The SEC approved the rule in July with the intent of bringing more transparency to investors about how cyberattacks impact companies’ bottom lines, forcing them to report breaches within four days.

The White House in January affirmed its commitment to the directive and said President Joe Biden will veto any legislative efforts to shutter the agency regulation, singling out a November resolution led by Garbarino that would have nullified the enforcement. 

But Garbarino said the executive branch might have to rethink its stance. “Every industry has come into my office and said they hate this SEC rule. It’s causing a lot of problems,” he said. 

He also pointed to testimony from a Tuesday hearing in which private sector witnesses criticized the rule as being too burdensome and said it creates incentives that prevent information-sharing about cyber incidents between companies.

“I think the White House might have to reconsider now if they hear from industry, and if there’s a big bipartisan vote [on the resolution] in the House,” Garbarino said, adding that he believes there are a lot of members on both committees that do not like the rule.

He also highlighted support from Eric Swalwell, D-Calif., the lead Democratic lawmaker on the cyber subcommittee, who argued that the disclosure rule forces companies to direct their attention to potential legal dilemmas instead of cyber threat mitigation.

A Fortune 100 Chief Information Security Officer told Swalwell that “when an attack happens now, rather than respond to the attack, the first thing that you do is you huddle all the lawyers,” the lawmaker said in the Tuesday hearing. “And you’re losing precious response time because you’re worried about your personal liability on any action you take.”

“You don’t want to have to worry about being fined by the SEC and having your attorneys meet [with them], when you should be focused on defense and make sure the vulnerabilities are fixed,” Garbarino said.

The disclosure requirements have led to several well-known companies, including Microsoft, Hewlett Packard and UnitedHealth, coming forward through SEC 8-K filings to reveal hacking incidents that have compromised their systems. Just yesterday, DropBox said in a filing that its electronic signature platform was breached.

“This added transparency will help investors more effectively assess such risks and make informed investment decisions,” an SEC spokesperson told Nextgov/FCW. The White House and House Financial Services Committee did not return requests for comment.

“Ransomware attacks are up 45% year over year. The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries,” the White House said in January when it vowed to quash attempts that would undo the rule.

The joint resolution would require both House and Senate passage before proceeding to President Biden’s desk. A companion measure was most recently led by Thom Tillis, a Republican senator for North Carolina.