The Information Technology Industry Council has called on the Securities and Exchange Commission to delay the implementation of its proposed cybersecurity rule to provide the SEC with enough time to deconflict its rule with the Cybersecurity and Infrastructure Security Agency’s rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
ITI said Monday delaying the implementation could prevent the proposed rule from creating additional security risks.
In March, SEC solicited comments on proposed rules to improve and standardize disclosure by public companies regarding cybersecurity risk management, incident reporting, governance and strategy.
“While we understand the objectives of the rule are to improve investor awareness of cybersecurity-related factors, we are concerned that it may in fact serve to undermine cybersecurity if not appropriately calibrated,” ITI wrote in the comments to the proposed SEC rule.
“We encourage the SEC to delay implementation of the proposed rule until CISA has further implemented its own rulemaking pursuant to CIRCIA 2021, so as to have a more fulsome understanding of the cyber incident reporting landscape,” the organization added.
ITI also recommended that SEC avoid directing disclosure of incidents encountered by third-party vendors and include safe harbor provisions for national security, law enforcement and cybersecurity interests.