At first glance, the new SEC rules make sense. Their increased disclosure requirements will create transparency and awareness across industries and drive corporate discussions on cyber risk.
But, as Chris Krebs, the author of this Financial Times opinion piece, argues, the new rules are redundant and misdirected. In 2022, the US Congress tasked the Cybersecurity and Infrastructure Security Agency (CISA) to develop incident notification regulations. Congress made it clear that CISA is the lead civilian agency for cybersecurity, and reporting cyber incidents should go there. The new SEC rules now can mean that companies have to report incidents to two federal regulatory authorities: the SEC and CISA.
The SEC rules could lead to a reporting mess as a result of jurisdictional turf battles. Over the past decade, about every major executive branch department has a cybersecurity office, which has made it harder, not easier, to work with the government on cybersecurity issues. Companies are increasingly unclear if they should call the SEC, CISA, the FBI, the NSA, the Department of Energy or the White House.
The author of the FT article argues that the SEC suspends incident reporting requirements and defer to Congress and CISA. The remaining periodic disclosure requirements on cybersecurity risk and governance processes could still remain in place. In addition, Congress should hold developers of technology to account to implement security-by-design principles.
Over the long term, Congress should implement a one-stop shop for cybersecurity: a central civilian agency to lead on cybersecurity risk management issues.