The U.S. Chamber of Commerce urged the Securities and Exchange Commission to delay by a year the effective date of new cybersecurity rules, saying the current regulatory plan needs tweaks to avoid “severe consequences” for companies.
Under the rules, which are set to go into effect on Sept. 5, public companies will need to disclose “material cybersecurity incidents” to the SEC within four days of determining that such a breach has occurred. Among other problems, the rules create “vague and unworkable” procedures while also leaving key national security questions unresolved, two of the business lobbying group’s top leaders said in a letter to SEC Chair Gary Gensler on Monday.
“The SEC has chosen speed over accuracy, ignored the role of nation-state actors, and is forcing businesses to choose between disclosure and national security,” wrote Tom Quaadman, senior vice president of the Chamber’s Center for Capital Markets, and Christopher Roberti, the group’s senior vice president of cyber, intel, and supply chain security policy. Many of the chamber’s concerns could have been addressed through “historic deliberative processes used by the SEC for decades — such as roundtables and more extensive comment periods,” the letter said.
Previously, cybersecurity risk and incident disclosures in SEC reports were informed primarily by agency staff guidance published in 2011 and commission-level guidance published in 2018, according to a client alert published Friday by law firm Wilmerhale.
“The new rules will significantly affect the way public companies disclose cyber incidents and matters relating to their cybersecurity oversight,” the alert said.
The implementation dates under the new rules are “extremely tight,” the firm said. In general, covered entities other than smaller reporting businesses will be required to comply with the new breach disclosure requirements beginning on Dec. 18. Smaller reporting companies will be subject to these mandates as of June 5 of next year.
Under the rules, breach disclosures can be delayed if the Department of Justice determines the incident poses a substantial risk to national security or public safety.
“Yet the Rule fails to address several commenters’ reservations regarding the Department of Justice (DOJ) making this determination,” Quaadman and Roberti said in their letter. “It is impossible to predict the timing, scope, and circumstances surrounding material cyber incidents, which can affect individual companies or groups of companies across industries.”
They added that DOJ may not be in the best position to determine whether a disclosure poses a national security risk given that other federal agencies typically take the lead when it comes to major cyber incidents.
“The SEC dismissed, or ignored, these concerns in the adopting release without adequate justification,” they wrote.
In addition to requesting a 12-month implementation delay, the chamber urged the SEC to take several other steps, including holding a roundtable with general counsels, chief information officers, investors and other stakeholders to identify the “foreseen and unforeseen adverse consequences” of the rules; clarifying the agency’s “broad” definition of cyber incident; and developing guidelines with DOJ on delayed reporting.
A spokesperson for the SEC declined to comment.
The chamber is weighing other options it could pursue if concerns raised in the letter are ignored, Quaadman said in an interview. “Our job is to get to the right outcome. Litigation is a possibility, but it is always a last resort,” he said, adding that it wouldn’t be the first time the chamber has taken on the SEC in court.
In May, the chamber sued the commission after it adopted new rules requiring public companies to provide more details on stock buybacks.
The SEC under President Joe Biden has increasingly been at odds with the business community and congressional Republicans amid a flurry of controversial rulemaking activities touching wide a range of subject areas. Besides cybersecurity and stock buybacks, the list has included climate change, corporate board diversity, and digital asset trading platforms.
“In the past two years, the commission has proposed 53 new rules at a breakneck pace,” House Financial Services Committee Patrick McHenry (R-N.C.) said during an SEC oversight hearing convened by the panel in April. “This raises serious concerns that the rulemaking process is being rushed, undermining the quality of our securities laws and risking negative unintended consequences.”
The commission’s cybersecurity rules were adopted last month on a party-line 3-2 vote, following public comments on a proposed package in 2022.
Besides mandating disclosure of material cybersecurity incidents on form 8-K, the final rules also require public companies to describe on form 10-K their board of directors’ oversight of cybersecurity risks.
The final rules dropped some contentious proposed provisions, including one that would have required disclosure of any board expertise related to cybersecurity.
“While the Chamber appreciates some of the changes made to the March 2022 proposal, the SEC was dismissive of important issues raised by the Chamber and others,” Quaadman and Roberti said in their letter.