Connect with us

Hi, what are you looking for?



Biden to Veto Attempt to Overturn SEC Cyber Incident Disclosure Rules

President Biden would veto Republican lawmakers’ attempt to overturn the SEC’s recent cyber incident disclosure rules. 

SEC Breach Disclosure Rules

The White House announced this week that President Biden would veto Republican lawmakers’ attempt to overturn the Securities and Exchange Commission’s recently implemented cyber incident disclosure rules.

The rules, which went into effect on December 18, 2023, require public companies to disclose any material breach within four business days of determining that it has material impact. 

The goal of the rules is to provide investors with timely and consistent information on potentially costly cybersecurity incidents. 

However, some have argued that the information companies need to disclose could actually be helpful to attackers. 

In addition, Republican lawmakers complained that disclosing an incident too early with incomplete or inaccurate information will actually harm investors. They also noted that the rules are in direct conflict with existing incident reporting requirements.

Some of these lawmakers filed a resolution in an effort to overturn the SEC rules, and the Biden administration said this week that it’s determined to veto the resolution.

“Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management. Moreover, publicly-traded companies have a fiduciary duty to inform their investors of material cybersecurity incidents—as they do for all adverse events—that could be reasonably expected to affect corporate operations, brands, and share prices,” the White House argued. 

“Reversing the SEC’s rulemaking would not only disadvantage investors who deserve to have a clear understanding of the cyber risk underlying their investment but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security,” it added. 

Advertisement. Scroll to continue reading.

[ Read: Align Your Incident Response Practices With New SEC Disclosure Rules ]

The SEC shared some important clarifications before the rules went into effect, pointing out that the information companies need to share is limited and it would not have to include any technical or specific information about their incident response, systems or potential vulnerabilities, which could be useful to attackers.

In addition, companies can delay the disclosure if there is substantial risk to national security or public safety.

Related: Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday

Related: Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach

Related: SEC Says X Account Hacked via SIM Swapping

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.


US National Cybersecurity Strategy pushes regulation, aggressive 'hack-back' operations.


Private equity giant plans to buy Forcepoint’s Global Governments and Critical Infrastructure (G2CI) business unit for $2.5 billion.


Companies have announced securing billions of dollars in cybersecurity-related contracts with the United States government in 2022.


The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...


CISA has described and published a set of principles for the development of security-by-design and security-by-default cybersecurity products.

Cloud Security

Redmond is accused of “negligent cybersecurity practices” that enabled a successful Chinese hack of the United States government.


TSA instructs airport and aircraft operators to improve their cybersecurity resilience and prevent infrastructure disruption and degradation.