The White House announced this week that President Biden would veto Republican lawmakers’ attempt to overturn the Securities and Exchange Commission’s recently implemented cyber incident disclosure rules.
The rules, which went into effect on December 18, 2023, require public companies to disclose any material breach within four business days of determining that it has material impact.
The goal of the rules is to provide investors with timely and consistent information on potentially costly cybersecurity incidents.
However, some have argued that the information companies need to disclose could actually be helpful to attackers.
In addition, Republican lawmakers complained that disclosing an incident too early with incomplete or inaccurate information will actually harm investors. They also noted that the rules are in direct conflict with existing incident reporting requirements.
Some of these lawmakers filed a resolution in an effort to overturn the SEC rules, and the Biden administration said this week that it’s determined to veto the resolution.
“Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management. Moreover, publicly-traded companies have a fiduciary duty to inform their investors of material cybersecurity incidents—as they do for all adverse events—that could be reasonably expected to affect corporate operations, brands, and share prices,” the White House argued.
“Reversing the SEC’s rulemaking would not only disadvantage investors who deserve to have a clear understanding of the cyber risk underlying their investment but would also cause companies to undervalue investments in cyber programs to the detriment of our economic and national security,” it added.
[ Read: Align Your Incident Response Practices With New SEC Disclosure Rules ]
The SEC shared some important clarifications before the rules went into effect, pointing out that the information companies need to share is limited and it would not have to include any technical or specific information about their incident response, systems or potential vulnerabilities, which could be useful to attackers.
In addition, companies can delay the disclosure if there is substantial risk to national security or public safety.
Related: Industry Reactions to New SEC Cyber Incident Disclosure Rules: Feedback Friday
Related: Ransomware Group Files SEC Complaint Over Victim’s Failure to Disclose Data Breach