The Biden administration came out forcefully this week against a congressional effort to undo the U.S. Securities and Exchange Commission’s recently adopted rule requiring public companies to disclose cybersecurity incidents.
President Joe Biden would veto the joint resolution, S.J. Res. 50, if it comes to his desk, the administration said Wednesday in a policy statement.
The legislation to disapprove the SEC’s authority to require companies to quickly disclose material cyber incidents and describe how they manage cyberthreats in annual reports was introduced by Republican senators in November alongside a companion resolution by House Republicans.
Though the rules took effect in September, enforcement for the SEC rule, which requires companies to report material cyber incidents within four business days of determination, began in December. Already, businesses are detailing corporate cyber governance and industry has seen a stream of cyberattack disclosures.
“Ransomware attacks are up 45% year over year,” the White House said. “The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries. Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management.”
In the last couple weeks, Microsoft and HPE reported attacks by the Russia-affiliated and suspected state-sponsored threat actor Midnight Blizzard, which gained access to both companies’ corporate data.
Other cyber incident disclosures filed with the SEC include attacks against Johnson Controls International, VF Corp., Mr. Cooper Group, Fidelity National Financial and loanDepot.
To date, most incident disclosures have detailed that organizations are still determining whether an incident is material.
The initial impact of the SEC rule has been muted and hasn’t resulted in an avalanche of disclosures, said Katell Thielemann, VP distinguished analyst at Gartner.
“These disclosures are all rearview mirrors, so their value as a defensive measure is quite limited,” Thielemann said via email. “But one undeniable byproduct is that cybersecurity is now being discussed at senior levels, because materiality discussions take place with boards, CEOs, CFOs and general counsels.”
The SEC’s cyber incident disclosure requirement is attracting the most opposition thus far, but the cyber governance reporting mandate just recently kicked in for companies filing annual reports for fiscal years ending on or after Dec. 15.
The sponsors of the bill who introduced the joint resolution in their respective bodies, Sen. Thom Tillis, R-N.C., and Rep. Andrew Garbarino, R-N.Y., said the SEC rule conflicts with existing cybersecurity disclosure rules and prioritizes investors over homeland security.
“This cybersecurity disclosure rule is a complete overreach on the part of the SEC,” Garbarino said in a statement.
The effort to roll back the SEC rule is also supported by the U.S. Chamber of Commerce, the American Bankers Association and the Bank Policy Institute.
Public companies can request incident disclosure delays if a filing poses a significant threat to public safety or national security.
The relevant information on material risks contained in these SEC disclosures is paramount for investors to make well-informed decisions, said Alla Valente, senior analyst at Forrester.
“If you were betting on a football game, wouldn’t you want to know that the quarterback has an injury that would materially impact his ability in the game? Wouldn’t you want to know that before you placed your bet?” Valente said.
The White House said a reversal of the SEC’s rulemaking would disadvantage investors and cause companies to undervalue investments in cyber programs to the detriment of economic and national security.
The SEC did not respond to a request for comment.
“Disclosures are critical for transparency, support knowledge-sharing among organizations, and can help law enforcement efforts,” Valente said.
“Ultimately, as technology continues to evolve, cybersecurity will continue to play a significant role in securing innovation,” Valente said. “Cybersecurity requirements need to keep up.”