A prominent tech trade group is asking the Securities and Exchange Commission to hold off implementing a slew of new cybersecurity-related regulations, saying it could confuse industry and step on similar efforts by other agencies.
The SEC has proposed a number of new security mandates for publicly traded companies and investment firms, including requirements to report past or ongoing hacks to the government, outline information security risk management policies and procedures and detail the cybersecurity backgrounds of executives and boards of directors.
In public comments submitted to the SEC, IT trade group the Information Technology Industry Council (ITI) raises a series of concerns about the agency's new regulations, claiming that while they support the agency’s end goal to "improve investors' awareness" of cybersecurity incidents, they are calling for implementation of the rules to be delayed until they can engage further with industry and deconflict their rules with other agencies — like the Cybersecurity and Infrastructure Security Agency — that are setting up their own reporting regimes.
“ITI supports the SEC’s intent to improve investors’ awareness of material cybersecurity incidents and believe that in many instances offering information about cybersecurity incidents and governance procedures can help to improve transparency,” the group wrote May 9. “However, we also have concerns with the way the proposed rule is currently written, including the fact that it could lead to disclosure of unmitigated vulnerabilities and that it may precede and thus overlap with the CISA rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022.”
For instance, the rule is written to allow companies to omit many of the technical details of their response to a cybersecurity incident, there is also a provision requiring them to make a materiality determination about whether the incident is covered under the new regulations “as soon as reasonably practical.” This kind of wording, the group argues, “introduces the likelihood that registrants would have to publicly disclose incidents prior to the mitigation of the vulnerabilities,” while pointing out that other agencies like CISA and the General Services Administration use language in their own regulations that prioritize vulnerability mitigation over reporting.
The organization calls for SEC officials to deconflict their rules with CISA, which is in the midst of standing up its own reporting process for critical infrastructure. In its comments, ITI notes that if a critical infrastructure entity is also a publicly traded company, that would potentially subject them to both SEC and CISA reporting rules, “adding further complexity to an already saturated landscape for those companies.”
“Rather than prematurely adding another layer of conflicting and overlapping incident reporting regulations that will necessarily draw legal and cyber incident response resources from the labor-intensive, fast-paced, and time-sensitive work of cyber incident response, we believe that it would be helpful for the SEC to first understand the direction that CISA is heading in with regard to the implementation of [incident reporting], as understanding this context will help inform the direction the SEC takes in appropriately calibrating the proposed rule in a way that helps investors without harming cybersecurity,” the group writes.
ITI also wants the SEC to adopt the same language for “covered cybersecurity incident” that is used in the Cyber Incident Reporting Act, lengthen the four-day timeline for companies to report material incidents and eliminate a requirement to disclose incidents affecting the company’s third-party technology vendors or service providers.