Reps. Andrew Garbarino, R-N.Y.; Mark Green, R-Tenn.; and Zach Nunn, R-Iowa, have voiced concerns about the Securities and Exchange Commission’s new final rule to require public companies to disclose their cyber risk management policies and procedures and report cybersecurity incidents.
In a letter sent to SEC Chair Gary Gensler, the lawmakers said the cybersecurity disclosure rules are duplicative and contradict the congressionally mandated, bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022, the House Committee on Homeland Security said Tuesday.
According to the lawmakers, the SEC must work with the Department of Homeland Security Cyber Incident Reporting Council to “coordinate, deconflict, and harmonize federal incident reporting requirements.”
They also request the commission to conduct an analysis of how the new rules will interact with CIRCIA and affect SEC’s other cyber incident disclosure requirements.
“Failing to do so will only jeopardize companies’ confidential reporting strategies and publicly divulge vulnerabilities to our Nation’s critical infrastructure,” the letter reads.
In July, the SEC adopted the rules to require public companies to disclose material aspects of a cyber incident’s nature, scope and timing within four business days and report the possible material impact on their financial condition and operations.
