SEC official defends new cyber disclosure rule that some lawmakers seek to overturn

Avatar

A top U.S. Securities and Exchange Commission (SEC) official on Wednesday defended the agency’s new cybersecurity disclosure rule in the face of withering criticism from industry groups and Republicans in Congress.

While Erik Gerding, the director of the division of corporation finance at the SEC, was not asked directly about a new congressional effort to overturn the rule, he did tell an interviewer at the Aspen Cyber Summit that the SEC pushed forward the rule in part because the agency was concerned about the underreporting of cybersecurity incidents by public companies. The rule is set to go into effect next month.

On Tuesday, Capitol Hill Republicans announced they plan to use a rare — and rarely successful — congressional procedure known as the Congressional Review Act to try to overturn the SEC requirement. Rep. Andrew Garbarino (R-NY) called the rule a “complete overreach.”

The rule will require public companies to disclose cybersecurity incidents within four business days of determining they are material, with an exception for events that the U.S. attorney general determines could pose a national security risk if made public. At a separate panel, the assistant director of the FBI’s Cyber Division, Bryan Vorndran, said the Department of Justice will “provide public-facing guidance in the next month” about how companies can ask permission to delay cyber incident disclosure under the new SEC rule.

Industry groups have argued that it is unclear what constitutes a material event, but Gerding suggested it is a basic judgment call based on “what a reasonable investor would consider to be significant.”

He said the SEC definition of materiality in the rule “builds right off of a Supreme Court decision.”

Investors deserve prompt information on cyber incidents, Gerding said, calling them “very similar to other kinds of risks companies face” such as equipment burning down or interest rate movements.

Gerding added that the SEC is not “trying to prescribe what is or is not good risk management.” Instead, he said, the agency wants to let investors make the decision for themselves, armed with the right information.

Much of the criticism around the new rule centers on the idea that disclosure will help cyber criminals, but Gerding waved that off.

“What we’re not looking for is technological details that give bad actors … a road map to pierce” a given company’s cyber defenses, he said.

The SEC is proposing the rule, he said, to help “investors understand whether companies are adequately winning [the] arms race” against cyber criminals.

BriefsGovernmentIndustryLeadership
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Suzanne Smalley is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Polish court discovers secret cryptomining rigs hidden throughout building

Next Post

CISA, FBI warn of Scattered Spider expertise with social engineering, SIM swapping

Related Posts

Cisco Issues Patch for High-Severity VPN Hijacking Bug in Secure Client

Cisco has released patches to address a high-severity security flaw impacting its Secure Client software that could be exploited by a threat actor to open a VPN session with that of a targeted user. The networking equipment company described the vulnerability, tracked as CVE-2024-20337 (CVSS score: 8.2), as allowing an unauthenticated, remote attacker to conduct a carriage return line feed (CRLF
Avatar
Read More

Eight European consumer watchdogs file complaints over Meta’s data processing

Eight European consumer organizations have filed complaints against Facebook parent Meta accusing it of breaching the EU’s General Data Protection Regulation (GDPR) with its so-called “pay-or-consent” policy and opaque internal policies.The organizations are all members of BEUC, the European Consumer Organization.  Their complaints, publicized Thursday, argue that the large-scale consumer data collection practiced by Meta violates the GDPR, and that the company has abused its dominant market position to essentially coerce customers into accepting its terms. Each of the eight groups filed their complaints with their national data protection authorities, as there is no pan-European office to accept such complaints.To read this article in full, please click here
Avatar
Read More