Biden Will Veto Efforts to Spike SEC Breach Disclosure Rule Security Boulevard
pThe Home of the Security Bloggers NetworkppHome Security Boulevard Original Biden Will Veto Efforts to Spike SEC Breach Disclosure RuleppPresident Biden is warning Congressional Republicans that he will veto any attempts to overturn the Securities and Exchange Commissions SEC new requirement for public companies disclosing cybersecurity incidentsppIn a brief policy statement this week the White House said public companies not reporting cyberattacks that disrupt their operations not only harms investors who should know about incidents that could hurt their investments but also encourages more attacksppRansomware attacks are up 45 percent year over year The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries the Office of Management and Budget wrote in the statement Greater transparency about cyber incidents as required in the SECs rule will incentivize corporate executives to invest in cybersecurity and cyber risk managementppBidens veto threat comes as SJ Res 50 introduced up by GOP senators in November 2023 and a companion resolution drawn up by Republicans in the House of Representatives wend their way through CongressppBoth look to scuttle the new rule which went into effect in December and requires publicly traded companies to report a breach within four days of the effected company determining the incident being material As noted by giant consultancy PcW with the disclosure rule the SEC puts the onus on companies to give investors current consistent and decisionuseful information about how they manage their cyber risksppThe rule when introduced earlier last year was met with both praise and criticism Some said it was important to ensure that both customers and investors get as much clarity as possible about cyberattacks with John Pirc vice president at cybersecurity firm Netenrich telling Security Boulevard as the rule went into effect that by mandating timely disclosure of material cybersecurity incidents and the requirement for detailed annual reporting on risk management strategies these rules bring clarity and standardization to how public companies report cybersecurity issuesppOthers complained that the rule will be expensive for companies to comply with and could open them up to more risks by forcing them to disclose information about both the attack and how the company respondedppThe lawmakers pushing the Senate and House bills called the rules an overreach by the SEC and argued that it infringed on the responsibilities of the US Cybersecurity and Infrastructure Security Agency CISAppCongress has been clear in its intent to harmonize federal incident reporting requirements a position that the Biden Administration has emphasized as well Rep Andrew Garabino RNY one of the House bills sponsors said in a statement when introducing it Despite this the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homelandppSen Thom Tillis RNC the sponsor in the Senate said in a statement that as we have continuously seen Chair Gary Genslers SEC is doing their best to hurt market participants by overregulating firms into oblivionppThat said on the same day that the White House put out its statement Tillis reportedly said he wouldnt ask for a vote on the resolution given Bidens vote threatppIm not here for a show vote Tillis said according to news site Politico Pro Even if it could pass itll get vetoedppAt this point he is hoping the introduction of SJ Res 50 and the arguments from lawmakers about their objections will convince Gensler that they need to reopen it They need to get additional comments They need to fix the vulnerabilitiesppOver the past few weeks several toptier companies have reported cyberattacks Both Microsoft and HPE reported that the Russialinked espionage group APT29 also known as Cozy Bear Midnight Blizzard and Nobelium had hacked into their corporate systemsppOthers reporting attacks to the SEC include Mr Cooper Group Fidelity National Finance and Johnson Controls InternationalppIts unclear if the new disclosure rule influenced the companies decisions to report the incidents though such transparency should be expected now that the rule is in placeppImage courtesy of DonkeyHotey ccbysa httpswwwflickrcomphotosdonkeyhotey53033698572ppJeffrey Burt has been a journalist for more than three decades writing about technology since 2000 Hes written for a variety of outlets including eWEEK The Next Platform The Register The New Stack eSecurity Planet and Channel Insiderppjeffreyburt has 211 posts and countingSee all posts by jeffreyburtppppp