Tuesday, August 22, 2023

U.S. Chamber of Commerce criticizes SEC cybersecurity rules

By R. Jason Howard, J.D.

The U.S. Chamber of Commerce has submitted a letter to the SEC in response to a recently adopted rule regarding cybersecurity incident reporting and cybersecurity practices by public companies in which the Chamber applauds some of the changes made to the March 2022 proposal but notes that the SEC was dismissive of important issues raised by the Chamber and others.

According to the letter, the rule “creates procedures that are vague and unworkable, ignores the role of national security agencies, and establishes conflicting obligations on the part of the issuer leading to unclear enforcement standards.” Many of these, the Chamber notes, could have been addressed through the SEC’s use of roundtables and more extensive comment periods.

The SEC has “chosen speed over accuracy, ignored the role of nation-state actors, and is forcing businesses to choose between disclosure and national security.” The rule, as it stands, will “degrade investor protection, capital formation and competition.” Because of this, the Chamber recommends the following steps be taken:
  1. Delay the effective date by twelve months;
  2. Hold a roundtable with general counsels, chief information officers, investors and other stakeholders to identify the foreseen and unforeseen adverse consequences of the Rule and craft solutions to the challenges identified;
  3. Develop guidelines with the Department of Justice and then establish and test the Attorney General mechanism to delay reporting, which will provide certainty to the business community and marketplace;
  4. Convene, in an appropriate setting, a meeting with general counsels, chief information officers, investors and appropriate members of the national security community to establish a mechanism, as was done with the Department of Justice, to allow for disclosure, if appropriate, should a business be attacked by a nation-state actor;
  5. Clarify the broad definition of cyber incident and to provide clear guidelines for enforcement proceedings; and
  6. Take additional steps to minimize information flows that may benefit hackers.
The Chamber explains that if these steps are taken expeditiously, it can address “many of the severe consequences that would ensue if the rule were implemented as-is.

The letter also addresses the Chamber’s concerns in more detail before concluding with the Chamber stating that it and its members “would welcome the opportunity to work with the SEC to gain a better understanding of how the SEC plans to implement and administer the Rule.”