Garbarino, Tillis Introduce Joint Resolution For The Disapproval of Overreaching SEC Rule

WASHINGTON, D.C. - Congressman Andrew R. Garbarino (R-NY-02), Chairman of the Cybersecurity and Infrastructure Protection Subcommittee of the House Homeland Security Committee and a Member of the House Financial Services Committee, introduced a Congressional Review Act (CRA) resolution to overturn the Securities and Exchange Commission’s (SEC) cyber disclosure rule. U.S. Senator Thom Tillis (R-NC), a Member of the Senate Committee on Banking, Housing, and Urban Affairs, introduced the companion CRA resolution in the Senate.

"This cybersecurity disclosure rule is a complete overreach on the part of the SEC and one that is in direct conflict with congressional intent. CISA, as the lead civilian cybersecurity agency, has been tasked with developing and issuing regulations for cyber incident reporting as it relates to covered entities. Congress has been clear in its intent to harmonize federal incident reporting requirements, a position that the Biden Administration has emphasized as well. Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland. This CRA resolution will reinforce the congressional intent of CIRCIA and ensure that the SEC rule no longer poses a danger to our homeland," said Rep. Garbarino.

Rep. Garbarino questioned SEC Chairman Gary Gensler about the rule during a September House Financial Services Committee hearing entitled, "Oversight of the Securities and Exchange Commission." The exchange can be watched here.

“As we have continuously seen, Gary Gensler’s SEC is doing their best to hurt market participants by overregulating firms into oblivion,” said Senator Tillis. “I am proud to co-introduce the Resolution of Disapproval to strike down this overreaching rule that creates unrealistic timelines and unnecessary red tape that will ultimately make markets less safe overall.”

“We support Congressman Garbarino and Senator Tillis’s commitment to strengthening national cybersecurity and holding regulators accountable for facilitating that goal. Banks strongly support sharing information on cyber threats and are in ongoing contact with regulators and government agencies following an incident. We believe there are better ways to promote transparency, protect investors and mitigate contagion risk than by publicly sharing detailed vulnerability information with criminals and hostile nation states while remediation is ongoing,” said Heather Hogsett, Senior Vice President of Technology and Risk Strategy for BITS, the technology policy division of the Bank Policy Institute

"Fighting cyberattacks is critically important, but the new cyber disclosure rule could force important information to be reported before the problem is fixed and could interfere with the efforts by law enforcement and intelligence agencies to stop attackers. We believe it is out of synch with what Congress and the Administration have worked to achieve. We thank Representative Garbarino for his leadership in introducing this Congressional Review Act resolution on the Cybersecurity disclosure rule,” said Christopher Roberti, Senior Vice President for Cyber, Space, and National Security Policy at the U.S. Chamber of Commerce.

“We appreciate Rep. Garbarino and Sen. Tillis’ legislative efforts to block the SEC’s mandatory breach disclosure rule from taking effect,” said Kirsten Sutton, Executive Vice President of Congressional Relations and Legislative Affairs for the American Bankers Association. “No industry is as committed as the banking industry to protecting customers and their data from cyberattack, and banks are already required to report any hack to their primary regulator and notify their customers if their data is stolen. The SEC’s rule could actually make things worse by publicly identifying the business that’s been hacked and inviting other bad actors to target the same business. We urge lawmakers to support the joint resolution of disapproval sponsored by Rep. Garbarino and Sen. Tillis and force the SEC to rethink this ill-conceived rule.”

Representatives Ann Wagner (R-MO-02), Andy Barr (R-KY-06), and Zach Nunn (R-IA-03) joined Rep. Garbarino as original cosponsors in the House. The full text of the bill can be found here.

Background

On July 26, the SEC adopted the "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" final rules. The new disclosure rules will require registrants to publicly disclose on the new Item 1.05 of Form 8-K any cybersecurity incident they determine to be material; to describe the material aspects of the incident's nature, scope, and timing; and to describe its material impact or reasonably likely material impact on the registrant. The registrant will be required to make this disclosure four business days after it determines that a cybersecurity incident is material, unless the Attorney General determines that disclosure would threaten national security or public safety. Additionally, the rules add Regulation S-K Item 106, which requires a registrant to describe its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats and to describe whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

The SEC’s cybersecurity disclosures are in direct conflict with the congressionally-mandated Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which is currently being implemented by the Cybersecurity and Infrastructure Security Agency (CISA). Signed into law in March 2022, CIRCIA requires CISA to develop and issue regulations requiring covered entities to report to CISA any covered cyber incidents within 72 hours from the time the entity reasonably believes the incident occurred – a rulemaking that is currently being developed. CIRCIA also established the Cyber Incident Reporting Council (Council) at the Department of Homeland Security (DHS) to coordinate, deconflict, and harmonize federal incident reporting requirements. By giving CISA and DHS these directives, Congress solidified its intent that CISA is the lead Federal agency for cybersecurity and should be the primary intake point for cyber incident reports. While CIRCIA aims to equip CISA with incident information to offer technical assistance, mitigate impacts for other organizations, and ultimately identify trends to protect the homeland, the SEC rules aim to increase transparency for investors.

Greater transparency around cybersecurity risk management, strategy, governance, and material cybersecurity incidents can increase resilience. However, public disclosure of ongoing incidents risks opening registrants up to further attacks. While the SEC makes some changes to the scope of reporting to limit what is reported, publicly reporting even the existence of a material incident before it is remediated would achieve the same effect as disclosing a vulnerability before there is a patch. This would only lead to attackers flocking to exploit the vulnerability for themselves.

###