CoC Asks SEC for More Time to Implement Cyber Reporting Rule
Businesses need more time to implement the required cybersecurity incident reporting rules and cybersecurity practices proposed by the Securities and Exchange Commission (SEC), the U.S. Chamber of Commerce (CoC) argued in an open letter to SEC Chair Gary Gensler.
As of September 5, 2023, according to the regulations, public companies will be required to promptly report “material cybersecurity incidents” to the SEC within a four-day period from the time of discovery.
The letter, written by the CoC’s Tom Quaadman, executive vice president of the Center for Capital Markets Competitiveness, and Christopher Roberti, senior vice president of cyber, intel and supply chain security policy, argues the SEC chose “speed over accuracy” and failed to account for business concerns.
“The rule as it stands will degrade investor protection, capital formation and competition,” the letter states. “It is imperative for companies to fully understand how the SEC intends to administer these provisions given that many registrants are expected to comply with aspects of the rule by December 2023.”
The core of the letter’s complaint falls to the fact that cybersecurity incidents are, for obvious reasons, difficult to predict, which logically means that the SEC will be limited in creating a fully articulated plan for implementation of the rules.
Casey Ellis, founder and CTO at Bugcrowd, said while concerns around this are valid, the extreme alternative is the current state of almost complete opacity, which doesn’t allow a shareholder to manage their own risk, which is ultimately the SEC’s core objective.
“One could argue that destabilizing confidence in the public financial system also has pretty hefty national security consequences,” he said. “Therefore, there’s definitely a balance that needs to be struck here, but where this balance lies will be unique to each incident and is likely to ‘come out in the wash.'”
Ellis pointed out one particular speed-versus-accuracy clash surrounding the four-day reporting window.
From his perspective, a too-short timeframe between discovery and responsibility to disclose could provide intelligence to attackers that could allow them to deploy anti-forensic measures to avoid attribution and capture.
“I will say that categorically, regulation is almost always met with opposition,” added Timothy Morris, chief security advisor at Tanium. “Rarely does everyone cheer, ‘Yay, more regulations!’ All regulations place burdens upon entities, but they typically emerge because self-regulation didn’t work.”
He noted that, in the case of cybersecurity and national security, it is a catch-22. Law enforcement must be notified so they can help, yet notification “may” make the reporting entity more vulnerable to further attack, especially in cases involving nation-state actors.
“It seems that the Chamber’s biggest complaint is that the cost or risk doesn’t outweigh the benefits of the newly announced reporting requirements,” he said.
Ellis noted that anything vague and unworkable is inherently more difficult to get right.
“Given the kind of stick the SEC can wield, I presume this is what the Chamber is most concerned about,” he said. “Things like the definition of an ‘incident’ under the rules, for example, leave a lot of room for interpretation, which can lead to a fear of making mistakes that fall on the wrong side of the intent of the rules.”
He said that the enumeration of severe consequences in the letter seems to mostly point to the fact that interagency cooperation tends to be slower than the kind of timelines set out in the SEC rules.
“Especially if it is determined that the incident constitutes a national security issue and homeland and/or the intelligence community get involved, although this is more of an operational consideration than a severe consequence in and of itself,” he said.
Ellis suggested that by reading between the lines, a “severe consequence” would be filing a Form 8-K and later finding out that it was unnecessary to do so.
