The U.S. Supreme Court ruling Friday to overturn the Chevron doctrine could have major implications on the cybersecurity regulatory landscape at a time when federal agencies have enacted significant requirements designed to strengthen incident reporting and meet baseline security standards.
The ruling will likely lead to new legal challenges against recent cybersecurity regulatory measures, including the 2023 cyber incident reporting requirements from the Securities and Exchange Commission, according to the Center for Cybersecurity Policy and Law.
The Supreme Court ruling could impact rulemaking on the Cyber Incident Reporting for Critical Infrastructure Act, too, according to the CCPL. Officials see the potential for the ruling to impact baseline requirements for the healthcare industry or future efforts by the Environmental Protection Agency to mandate cybersecurity rules for drinking and wastewater treatment utilities.
The Chevron doctrine stems from a 1984 case, Chevron U.S.A. v. Natural Resources Defense Council, which set the precedent for courts to yield to the expertise of federal agencies to interpret ambiguities in a statute.
The Supreme Court ruling involved Loper Bright Enterprises v. Raimondo and alongside a second case, Relentless v. Department of Commerce.
The U.S. Chamber of Commerce called the Supreme Court ruling an “important course correction” that will help create a more stable and predictable business environment.
SEC cyber rules in the hot seat
The SEC rule passed in 2023 requires publicly traded companies to report cybersecurity incidents to the agency within four business days of determining their materiality. Companies must file annual updates that outline their strategies for how to mitigate cyber risk.
In October, the SEC also filed suit against SolarWinds alleging the company and its CISO defrauded investors by failing to disclose its true cybersecurity risk leading up to the 2020 supply chain hacks by state-linked hackers.
The Chamber of Commerce and Business Roundtable filed briefs in the SolarWinds case arguing the SEC had expanded its authority in the case far beyond the original intent of Congress.
Legal and cybersecurity experts are still evaluating what the impact of the Chevron doctrine ruling will be on future regulations. However, Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink how they approach future cyber regulations to make sure they don’t create an overly burdensome environment for critical infrastructure and industry partners.
“I think it may give agencies more pause to think about their legal justification, and perhaps look to Congress for more authority in the cases of ambiguity,” Pugh said in an interview.
Officials from the SEC and the Office of the National Cyber Director declined to comment for the story.
Correction: This story has been updated to reflect the Supreme Court case was Chevron U.S.A. v. Natural Resources Defense Council.