Actions by independent regulators to set cyber incident reporting requirements are “distracting” and imposing undue burdens on the private sector, industry witnesses stressed at a recent House hearing, while sources continue to cite particular concerns over a pending SEC cyber rule.
“I hope that the executive branch will work very hard to impress upon the Securities and Exchange Commission any concerns that the agency is out of step with the consensus approach being pursued for incident reporting and voluntary cooperation,” Wiley Rein partner Megan Brown told Inside Cybersecurity. “Punitive measures and aggressive second guessing of victims is unhelpful.”
The SEC recently proposed three new cyber rules that raised concern from GOP commissioners about regulatory over-reach. But a separate pending SEC proposal that would set cyber incident reporting and risk management rules for all publicly traded companies is especially troubling for industry stakeholders. SEC has said it intends to finalize the rule this spring.
Megan Brown, Partner, Wiley Rein
Industry critics say this rule will conflict with the Cybersecurity and Infrastructure Security Agency’s implementation work on the 2022 Cyber Incident Reporting for Critical Infrastructure Act. But SEC’s “posture seems to suggest they are not backing down,” another source said.
In addition to the SEC proposal, the Federal Communications Commission is accepting reply comments through today on an incident reporting proposal.
“We have two key lines of interest” on the SEC rule at this point, an industry source said. “Will the timing slip and if so, by how much? And will the SEC revise the rulemaking to allow for delays to work with law enforcement, among other tweaks?”
The source said, “If the SEC would negotiate, like Congress does, a workable rule could be acceptable to many.”
At Thursday’s House Homeland Security cyber subcommittee hearing, new Chairman Andrew Garbarino (R-NY) queried witnesses on “deconflicting” and harmonizing cyber regulation.
Heather Hogsett of the Bank Policy Institute noted that most of her sector’s regulators are independent agencies and said that’s an area “where Congress can help.” She said overlapping and repetitive requirements are creating “a strain” that pulls away from security efforts.
Agency actions to “layer on” more requirements “can’t continue,” she said, telling Garbarino that the financial sector has reached out to the Biden administration to discuss ways to encourage “regulatory reciprocity” across agencies.
Hogsett and CrowdStrike’s Drew Bagley both touched on the role of independent regulators in their prepared testimony on the upcoming CISA incident reporting rule.
“This is a significant undertaking that CISA must get right from the outset and will require extensive coordination with critical infrastructure entities, SRMAs, other government agencies and independent regulators,” Hogsett said. “CISA should ensure that definitions, timelines, thresholds and required incident information are aligned with existing requirements and designed to avoid interfering with response and mitigation at an affected firm.”
Bagley noted, “Even as CIRCIA advances through rulemaking, independent regulators are pursuing new obligations and the National Cybersecurity Strategy foreshadows additional actions at the sector-level. Each of these measures is well-intended, but taking place simultaneously and with different stakeholders. At best, they will close longstanding gaps and strengthen national resilience.”
“At worst,” Bagley said, “they risk yielding burdensome, distracting, and costly compliance obligations without additional security gains. Optimizing for the former is among the most important challenges the cybersecurity policy community faces at this time. Our hope is that continued collaboration between potential regulators and/or muscular harmonization efforts will help avert worse outcomes.” – Charlie Mitchell (cmitchell@iwpnews.com)