Business Lobby Struggles to Thwart SEC Cybersecurity Disclosure Rules

Business lobbyists are struggling to soften new US Securities and Exchange Commission rules that require publicly traded companies to quickly disclose cybersecurity breaches.

(Bloomberg) — Business lobbyists are struggling to soften new US Securities and Exchange Commission rules that require publicly traded companies to quickly disclose cybersecurity breaches.

The Justice Department is planning to issue guidance by December on how firms can get exemptions from the new SEC regulations, according to an agency official, who asked not to be identified discussing internal deliberations. Companies will only rarely be able to delay making an incident public due to national security and public safety concerns, the person said. 

The US Chamber of Commerce had been seeking a 12-month delay to the rules and other changes to the regulations finalized last month by the SEC. Under the rules, publicly traded companies will later this year have to start disclosing cyber incidents within four business days of determining they are material to shareholders.  

The Wall Street regulator, however, said businesses could delay that by as long as four months if the US attorney general determines that disclosure would pose risks to public safety or national security. That process has come under fire from the Chamber.  

In an Aug. 14 letter to SEC Chair Gary Gensler, the Chamber argued that key parts of the procedures created by the SEC rule were “vague and unworkable.” The trade group also said the agency should delay the rule’s effective date by 12 months, and that the Justice Department may not be best positioned to determine if a disclosure poses a national security risk because other federal agencies often lead work relating to big cyber incidents. 

In response to a question about the Chamber’s criticism, a Justice Department spokesperson referred to the Biden administration’s March national cybersecurity strategy, which says the department has the lead government role for cyber incident threat response efforts. The SEC declined to comment on the letter and other criticism of the rule.

The Justice Department official said the mechanism and procedures for seeking an exception from it are still being finalized and should be worked out by the time the reporting would need to start in December. The person added that the Justice Department was consulting with other government agencies on its plan, and officials inside the department considered themselves well-positioned to make a determination of whether to allow a delay on national security grounds, contrary to the Chamber’s contentions. 

A reporting delay could be triggered if making an incident public could alert a nation-state adversary that a cyber intrusion compromising critical infrastructure had been detected while the US government was still seeking to fix or block it, said the official. 

Tom Quaadman, executive vice president of the Center for Capital Markets Competitiveness at the Chamber, said the group would continue to push back on the new regulations. “The Chamber stands by its request for a delay and a collaborative process to address the numerous flaws in the SEC’s cyber rule,” he said in an emailed statement.

More stories like this are available on bloomberg.com

©2023 Bloomberg L.P.