The House Financial Services Committee voted last week to report a Congressional Review Act (CRA) resolution disapproving the SEC’s latest cybersecurity disclosure regulation. The measure was one of three considered and reported by the committee and demonstrates how the month of May has been a busy one for securities legislation that also has seen Congress send a CRA resolution on SEC staff guidance to the White House and lay the groundwork for the full House to mull blockchain legislation in the coming week that, if enacted would divvy crypto regulatory authorities between the SEC and the CFTC. The cybersecurity resolution, along with two other bills dealing with SEC rulemaking reforms and the exclusion of personally identifiable information (PII) from the consolidated audit trail (CAT), were reported by the House FSC on party lines by votes of 27-22. The White House has already indicated a likely veto of the similar Senate resolution introduced last year.
Cyber CRA resolution. In terms of the timing of the cybersecurity CRA resolution, the resolution would repeal a regulation that is currently in effect and for which compliance is already required by most public companies, with the exception of smaller reporting companies, which must shortly comply with certain requirements by mid-June 2024, and with respect to inline XBRL mandates for all subject companies for which compliance is required by mid-December 2024. Thus, companies are now well into their efforts to comply with the SEC’s expanded, formal disclosure regime for cybersecurity incidents.