The House Financial Services Committee has moved forward with a resolution, along party lines, to overturn a controversial SEC rule that requires certain companies to disclose cybersecurity incidents.
The rule affects public companies and mandates that they disclose significant cybersecurity incidents that affect their bottom line within a 4-day timeframe of discovering them.
The SEC approved the contested rule last July, arguing transparency for investors. However, opponents of the rule describe it as an overreach of the agency’s authorities. They also claim that revealing sensitive business information of this type highlights their vulnerabilities, potentially attracting more hackers.
“Disclosing such information potentially compromises the confidentiality of a company’s cybersecurity programs and reveal details such as the scope and frequency of testing, nature of third-party systems and specific remediation activities,” said Rep. Andrew Garbarino (R-NY), the lead sponsor of the House resolution.
It’s unclear whether the resolution would advance further. It needs approval from both the full House and Senate before it can proceed to President Joe Biden’s desk. But the White House has already said that it supports the SEC rule and that Biden would veto any attempts to overturn the agency’s regulation.
Despite the White House’s statement, Garbarino believes that private sector opinions on the rule might prompt the executive branch to reconsider.
Publicly traded companies started filing the required 8-K notices with the SEC on the first day, and these filings have continued steadily. Both Hewlett Packard and Microsoft have reported intrusions by suspected Russian state-backed hackers. Foreign companies with substantial US business have also filed similar 6-K notices.
There are exceptions under the SEC rule. Companies can delay the disclosure of up to 60 days, and only under extraordinary circumstances could the delay extend beyond 60 days. The delay has to be approved by the US Attorney General should they determine that revealing information about the cybersecurity incident would “pose a substantial risk to national security or public safety. The AG would also need to notify the SEC.