Businesses Seek to Soften SEC Cyber Rules

In comments on rules proposed by the SEC, businesses in recent days have urged the agency to harmonize its deadline of four business days to disclose security incidents with similar rules from other agencies. They also warned public disclosures could result in new compliance costs, additional confusion while responding to breaches and hits to their stock prices.

Some companies and security chiefs said in interviews and public comments on the proposals that they are broadly supportive of an SEC reporting regime, and provisions in the draft rules that help to fortify cybersecurity risk management.

“The regulators are saying that they need this consistent view of risk so that they can compare and contrast, and ensure that they’re delivering effective oversight of the organizations that they regulate, that they can calibrate that digital risk,” said David Reilly, who was chief information officer at

Bank of America Corp.’s

global banking and markets unit until November.

Listed companies have long been required to disclose risks and incidents they deem material to investors. But SEC officials have said in recent years that disclosures of cyber incidents have been spotty, necessitating more specific regulations for incident-response planning, board oversight and reporting of material hacks or breaches.

The SEC, which didn’t immediately respond to a request for comment, has taken a more aggressive approach to rulemaking under Chairman

Gary Gensler.

Many companies and lobbying groups filing comments on the proposals by Monday’s deadline want the SEC to coordinate its approach with a new law requiring critical-infrastructure operators to confidentially report incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours. That statute aims to help U.S. officials exchange information with the private sector to respond to cyberattacks.

The SEC’s proposed rules, on the other hand, would require listed firms to file public reports in a bid to provide more information to investors.

Lobbying groups including the National Association of Manufacturers and the Chamber of Commerce, which both prefer CISA’s confidential approach, warn of an overlapping set of reporting requirements that could lead to risks such as litigation or additional cyber threats.

“We oppose the rulemaking in its current form,” said Christopher Roberti, senior vice president for cyber, space and national security policy at the U.S. Chamber of Commerce. “We’d like to see [the SEC] withdraw it or shelve it.”

Energy giant Chevron, meanwhile, warned in a comment last week that the SEC’s proposed public reporting regime could also complicate CISA’s attempt to analyze data shared by critical infrastructure firms and share it across the public and private sectors. Chevron and medical test company Quest Diagnostics called for the SEC to allow companies working with law enforcement to investigate incidents to delay their reporting.

CISA declined to comment. The SEC also declined to comment.

Others warned that public reports could provide hackers information while attacks are in progress. “If a registrant discloses that it is currently the victim of a material cyber incident, that would tip off the malicious actor that the registrant is aware they’re in the victim company’s systems,” said Henry Young, policy director at industry lobbying group BSA, The Software Alliance, which represents commercial software makers. That may prompt hackers to steal data faster, or speed up timelines on attacks such as ransomware strikes once tipped off, he said.

Ernst & Young and others also took issue with the SEC’s suggestion that companies report aggregate incidents once their collective impact is deemed material. Jerry Perullo, former chief information security officer of New York Stock Exchange owner

Intercontinental Exchange Inc.,

said the idea doesn’t reflect how cyber teams work to counter near-constant attempted cyberattacks, such as phishing emails.

“Should a security organization have some situational awareness of trends in what’s hitting them? Yes,” he said. “But that’s threat intelligence. You certainly don’t have to be calling up the SEC when something like this happens.”

However, intrusions can often start with small incidents, and what seems like an innocuous event may herald a more severe breach later, said

Cyrus Vance Jr.

, partner and global chair of law firm Baker McKenzie’s cybersecurity practice.

“I think it’s strong rulemaking,” said Mr. Vance, a former district attorney in Manhattan until the end of last year.

The proposed rule comes as Congress and the Biden administration have unveiled a raft of new cyber regulations after a series of disruptive cyberattacks in recent years. In addition to the SEC’s forthcoming rules for listed companies, the agency in February proposed regulations that would require investment funds and advisers to report incidents within 48 hours.

—Kim S. Nash contributed to this article.

Write to David Uberti at [email protected] and James Rundle at [email protected]

Corrections & Amplifications
Christopher Roberti is the senior vice president for cyber, space and national security policy at the U.S. Chamber of Commerce. An earlier version of this article incorrectly referred to him as its senior vice president for cyber, intelligence and supply chain security policy. (Corrected on May 11.)