At a time of regulatory rollbacks and recalibrations, companies and industries are pushing back on cybersecurity rules, calling for changes to reduce costs and eliminate duplicative reporting requirements.
Such complaints were aired before and since rulemakings by the U.S. Cybersecurity and Infrastructure Security Agency, the Securities and Exchange Commission, and others including financial industry overseers that specified tight deadlines for reporting of cyber breaches. Under new Republican leadership, the SEC in June withdrew several proposals from the prior administration. One was for broker-dealers, clearing agencies and other covered entities to make “immediate notification to the commission of the occurrence of a significant cybersecurity incident.”
Representing a united front among advocacy groups, a May 22 comment letter from the American Bankers Association, Bank Policy Institute and others told the SEC that after 18 months in effect, cyber incident disclosures for Form 8-K Item 1.05 had proven to be premature, confusing, unhelpful to investors, and weaponized by hackers using “the rule's prescriptive requirements as additional extortion leverage.”
Erik Gerding
Incident disclosure mandates were “the most urgent and problematic aspects” of a rule that was “deeply flawed,” the associations said in petitioning for rescission.
“There has also been criticism on the timing of when the cyber incident disclosure needs to be given,” says Freshfields capital markets partner Erik Gerding, a former director of the SEC’s Division of Corporation Finance. “The SEC rule requires disclosure four business days after a public company determines that an incident was material. Some market participants feel that is too quick.”
While the intentions of a reporting policy may be good, the high-level nature of the disclosed information limits its usefulness, according to Aaron Pinnick, senior manager of thought leadership for ACA Group’s Aponix and ESG programs.
Firms understandably “need to focus on responding to the incident and certainly have all the facts about an incident” within days, Pinnick says. But as a result, “the disclosures frequently include little more than confirmation that an incident occurred, the general timeline of the incident, and that the incident may have a material impact on the company.”
There are also definitional challenges, including that of materiality.
If, to the SEC, a cybersecurity incident is an “unauthorized occurrence or a series of unauthorized occurrences,” then the agency will expect firms to find patterns and trends in smaller, non-material cyber incidents, aggregating those into a larger context. What’s more, materiality determinations can be difficult when a firm is constantly under cyberattack, Pinnick says.
Aaron Pinnick
Firms under pressure, Pinnick adds, may suffer “disclosure fatigue” or “disclosure panic,” knowing that investors will be getting information based on only a few days of incident analysis.
On the positive side, says Pinnick, formal reporting rules underscored the importance of best practices and the benefits of transparency. Public companies are sharing more information than in the past, “and while there are certainly still challenges and opportunities to improve on these disclosures, the regulation does provide investors, regulators and the public in general with more information, in a known location, within a predictable period of time after an incident.”
The SEC’s pullbacks, including a proposal “to shield investors from cybersecurity risks,” did not sit well with Better Markets president and CEO Dennis Kelleher. “If the SEC continues on this track,” he said in House Financial Services Committee testimony on July 15, “it will be fair to say that its mission is no longer to protect investors but to protect the industry it is supposed to regulate.”
SEC Chairman Paul Atkins, releasing the agency’s regulatory agenda on September 4, said it reflects “a new day” representing the commission’s “renewed focus on supporting innovation, capital formation, market efficiency, and investor protection.”
The Cybersecurity and Infrastructure Security Agency (CISA) during the Biden administration responded to an increasingly complex threat landscape with both generalized guidance and initiatives targeted specifically at 16 critical infrastructure sectors, which include energy, financial services, government services, healthcare and IT.
A provision of the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), not to be implemented by CISA before next year, seeks reporting of significant incidents within 72 hours and ransomware within 24 hours.
The agency has faced criticism for trying to reach too many entities across sectors that are too broadly defined. “For CISA,” Gerding says, “the question is whether the cybersecurity risks to critical infrastructure that would be mitigated from a more broadly scoped rule outweighs the costs to the private sector.
“In other regulatory areas, the idea of tiered disclosure – or tailored regulation in general – has gained momentum over the last two decades. This reflects a view that certain categories of companies, including smaller companies, should have less disclosure or other regulatory obligations.”
“Many organizations don’t have the resources to effectively respond to a cyber incident in time,” states Fayyaz Makhani, global security architect at cybersecurity vendor VikingCloud.
To Pinnick, rules applying so broadly to so many non-small businesses will be a burden especially on mid-sized firms. For those that are publicly held, too much or too premature information may startle investors and cause them to overreact.
Duplicative and conflicting cybersecurity requirements across multiple agencies were called out in March testimony to a House Homeland Security subcommittee by Heather Hogsett, then Bank Policy Institute senior vice president.
Heather Hogsett
“The current patchwork of duplicate cybersecurity regulations stretches banks’ cybersecurity teams thin and hinders their ability to combat cyber threats and safeguard the nation’s financial system,” said a statement by Hogsett, who was promoted in May to executive vice president and head of BPI’s BITS division and is vice chair of the Financial Services Sector Coordinating Council. “A more coordinated and streamlined regulatory approach would not only enhance security and operational efficiency but also strengthen the financial sector’s collective defense against evolving threats.”
Hogsett recommended withdrawing and reissuing the “overly broad” proposals under CIRCIA and rescinding the SEC incident disclosure rule. With financial institutions navigating more than 10 separate cyber incident reporting mandates in the U.S. alone, Hogsett suggested that agencies leverage CIRCIA as the primary reporting framework.
Meanwhile, the looming September 30 expiration of the 2015 Cybersecurity Information Sharing Act had numerous business organizations – including a U.S. Chamber of Commerce coalition and, in a September 4 letter to congressional leaders, 13 financial industry trade associations – urging action to reauthorize it.
“The current cyber threat landscape highlights the need for consistent public-private collaboration, of which information sharing is a central component,” said the September 4 letter. “Without the protections codified by this statute, businesses may be less willing to share cyber threat information for fear of legal exposure.”
The ABA, BPI, Managed Funds Association and Securities Industry and Financial Markets Association, in a May letter to Treasury Secretary Scott Bessent, said that in view of past breaches, they were “deeply concerned about the cybersecurity risk management practices at federal regulatory agencies and the need for critical reforms to ensure the supervisory process does not introduce unnecessary risk to firms through regulators’ own security weaknesses.”
They offered to “partner with the administration and the regulators to ensure our financial markets are well guarded against our adversaries and protect the vitality of the U.S. economy.”
Makhani of VikingCloud maintained that balancing the interests of companies, customers and government is crucial: “Finding the right balance requires ongoing dialogue and collaboration among stakeholders.”