Controversial rules proposed by the U.S. Securities and Exchange Commission (SEC) which would force publicly traded companies to report cybersecurity incidents days after they surface would benefit investors and “the broader cybersecurity ecosystem,” according to a new report from a prominent think tank.
Many industry insiders have complained that the SEC’s proposed regulations could negatively impact national security and would likely be redundant with new reporting requirements laid out in the soon to be implemented 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
Reflecting the controversy over the proposal, the SEC on Thursday pushed its deadline for the final incident reporting rule to October. It was initially supposed to be finalized in April.
A report published Wednesday by the Atlantic Council’s Cyber Statecraft Initiative asserts that the SEC’s proposed rules — requiring incident disclosure within four days — substantially differ from CIRCIA regulations. It also argues that concerns over the SEC’s proposed timeline for implementation and fears over national security risks can be easily overcome.
Additionally, the rules would help investors make decisions and create “publicly accessible and standardized data about cyber incidents.”
The fact that the SEC would require widely applicable standardized reporting and stronger transparency than what is currently required “would benefit the overall health of the cybersecurity ecosystem by improving information asymmetries in the cybersecurity market for companies and consumers, allowing regulators to more efficiently employ existing policy tools,” the report argues.
However, business and industry leaders, along with some cybersecurity firms, have expressed intense opposition to the new rules.
A letter to the SEC filed by nearly three dozen industry associations — including the U.S. Chamber of Commerce, the Consumer Technology Association, and the Securities Industry and Financial Markets Association — lambasts the proposed rule, arguing that it creates confusion about how industry should report cybersecurity incidents and risks allowing hackers to escalate attacks.
“The proposed rules could result in undermining cybersecurity by forcing companies to disclose incident information prior to the mitigation of vulnerabilities,” the letter states. “Detailed public disclosures could give cybercriminals and state-backed hackers a trove of data to further victimize companies, harm law enforcement investigations, and disrupt public-private responses to cyberattacks.”
The letter also argues that investors will suffer under the proposed rule.
Rapid7, a cybersecurity company, told the SEC that “public disclosure of an unmitigated or uncontained cyber incident will likely lead to attacker behaviors that cause additional harm to investors,” including by possibly leading to further attacks. Rapid7 also warned that the quick turnaround public disclosure rules could lead to “copycat” attacks.
But the Atlantic Council report argues these concerns are easily overcome if the SEC allows companies to delay reporting “uncontained” cyber incidents as long as a firm deadline of 30 days for reporting incidents in such instances is allowed.
The report also argues that companies could delay notification when reporting would negatively impact national security. It suggests that the Attorney General or CISA could confirm the risks of a faster turnaround time in such incidents.
Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.