Trade groups seek changes to SEC’s breach disclosure plan

How much should shareholders know about breaches at publicly traded companies? The Securities and Exchange Commission is proposing that companies disclose “material” cybersecurity incidents within four days, but business groups are pushing back on the plan, citing their own interests in confidentiality and potential conflicts posed by the increasingly complex web of cybersecurity law and regulation imposed by the federal government.

A group of trade associations including the Professional Services Council and the Information Technology Industry Council are urging the SEC to rethink its March proposal. In comments filed with the regulatory agency on June 22, the groups caution that companies could be putting themselves at increased risk by making breach disclosures within the time frame ordered under the proposed SEC rules.

“Detailed public disclosures could give cybercriminals and state-backed hackers a trove of data to further victimize companies, harm law enforcement investigations, and disrupt public-private responses to cyberattacks. Also, the costs of the rulemaking outweigh its benefits to investors,” the letter stated. “Simply put, the proposed rules go too far and would place companies at heightened risk by compelling them to prematurely disclose increased amounts of cybersecurity incident information.”

The trade groups also noted that early information from a cybersecurity investigation may turn out to be inaccurate or superseded by subsequent discoveries and that public disclosures made within the four-day time frame specified by the SEC may have unintended consequences for companies.

“It is possible that the severity of incidents could be overstated, thus having a potentially negative effect on a company’s earnings,” the trade groups said.

Additionally, there are special considerations for companies that may be subject to multiple disclosure regimes. Critical infrastructure firms are facing reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which was signed into law in March. That statute requires covered companies to report breaches and ransomware payments to the Cybersecurity and Infrastructure Security Agency within 72 hours of discovery. The reporting requirements under that law won’t take effect until CISA publishes a rule on how to report. Under the terms of the statute, CISA has until September 2025 to get the regulations out the door.

Defense contractors could also be facing multiple, overlapping regulatory regimes. The trade groups noted that the “SEC’s proposed rules neither recognize nor align with the evolving cybersecurity standards and disclosures required of these contractors.” 

Specifically, companies that do business with the Defense Department will be subject to the Cybersecurity Maturity Model Certification program, which is currently under development. CMMC is based on a commonly used National Institute of Standards and Technology standard for cybersecurity hygiene. 

“The SEC does not appear to consider the potentially contradictory, unnecessarily duplicative, or financially burdensome nature of its proposed rules when compared with the CMMC requirement,” the trade groups said.

The groups want the SEC to rethink its proposal with these kinds of overlaps and conflicts in mind and consider redefining what is meant by a cybersecurity incident to align with definitions put forth in the Biden administration’s cybersecurity executive order and the recent legislation covering critical infrastructure.