Congressional resolution would overturn SEC cyber incident reporting rules

Rep. Andrew Garbarino (R-N.Y.) and Sen. Thom Tillis (R-N.C.) last week introduced a resolution of disapproval to overturn the Securities and Exchange Commission’s cyber incident reporting rule, which the SEC adopted in July and requires public companies to disclose material cybersecurity incidents within four business days. Under the rule, public companies also must disclose information about their cybersecurity risk management, strategy and governance on an annual basis.

The resolution of disapproval, which was brought under the Congressional Review Act, would overturn the SEC rule if adopted by both chambers of Congress and signed by the president. “Congress has been clear in its intent to harmonize federal incident reporting requirements, a position that the Biden administration has emphasized as well,” Garbarino said. “Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland.”

The American Bankers Association supports the resolution of disapproval, as the SEC rule would expose businesses targeted by cyberattacks to further attacks by making that information public. “No industry is as committed as the banking industry to protecting customers and their data from cyberattack, and banks are already required to report any hack to their primary regulator and notify their customers if their data is stolen,” ABA EVP Kirsten Sutton said. “The SEC’s rule could actually make things worse by publicly identifying the business that’s been hacked and inviting other bad actors to target the same business.”