The Biden administration has expressed to congressional representatives its strong opposition to undoing the Securities and Exchange Commission’s (SEC) strict data breach reporting rule.
In a policy statement [PDF] published yesterday by Biden’s Office of Management and Budget (OMB), the administration said it “strongly opposes” Senate Joint Resolution 50, introduced in November by Senator Thom Tillis (R-NC). The joint resolution, along with House Joint Resolution 100, sponsored by Representative Andrew Garbarino (R-NY) and introduced the same day, would nullify the SEC rules adopted in July of last year.
The SEC’s rule require public companies hit by cybercriminals to report the incident within four days. Given that the SEC’s primary concern is protecting investors, the body is mostly concerned with breaches that could have a “material” effect on a company’s bottom line, and thus present a risk to shareholders.
“The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries,” the Biden OMB said in its objection to the Senate bill. “Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management.”
“If the president were presented with S.J. Res. 50, he would veto it,” OMB said.
Undoing any breach reporting requirement seems antithetical to the work a Senator ought to be doing; we asked Tillis’s office to explain his reasoning, but didn’t hear back.
Garbarino, on the other hand, issued a statement in November after submitting his companion resolution in the House that makes his position on the matter clear: Breach reporting requirements are the Cybersecurity and Infrastructure Security Agency’s (CISA) job.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent,” Garbarino said in the November release. “CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities.”
Garbarino said Congress and the Biden administration are on the same page with regards to harmonizing cybersecurity reporting requirements (though that doesn’t appear to be the case based on the OMB policy statement). He also said the SEC was simply creating duplicative requirements that “further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements.”
Part of those concerns may stem from the public nature of SEC incident reports, which have to be submitted on SEC Form 8-K, the contents of which are public. Disclosures must include the scope, timing, and nature of the incident, though disclosure may be delayed if the US Attorney General determines doing so would pose a risk to national security or public safety.
Tillis, in a brief comment on Garbarino’s release, only described the SEC’s reporting rule as Commission chair Gary Gensler doing his best “to hurt market participants by overregulating firms into oblivion,” with an onerous rule “that creates unrealistic timelines and unnecessary red tape that will ultimately make markets less safe overall.”
It’s not clear what the Senator and Congressman think of the Federal Trade Commission’s (FTC) 30-day breach reporting requirement passed in October, which isn’t mentioned in the earlier statement or resolutions.
Someone has to do something
Despite Garbarino’s professed belief that CISA is the one that should be handling breach reporting requirements, the agency has yet to pass any rules that would do so.
President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) into law in March 2022, but CISA had 24 months from passage (March 2024) to present a rule for consideration, which it has yet to do. When CISA’s reporting requirements eventually go into effect, the disclosure window will be even smaller than the SEC’s. CIRCIA asked CISA to give cybersecurity incident victims a mere 72 hours – three days – to report a breach.
In the meantime, the FTC and SEC have taken matters into their own hands, which appears to be helping – we’ve even been able to report on breaches at companies like HPE thanks to SEC reports.
As previously reported, the number of victims paying ransomware operators has fallen to 29 percent. The company behind that statistic, ransomware negotiation firm Coveware, attributes much of the decrease in ransom payments in recent months to reporting requirements from the SEC and FTC.
Those payments are down despite what the White House OMB said was a 45 percent increase in ransomware attacks year-over-year.
“Reversing the SEC’s rulemaking would not only disadvantage investors … but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security,” the OMB said.
Then again, maybe giving the SEC cybersecurity reporting authority isn’t the best move – after all, the agency can’t even keep its Twitter account secure. ®