OMB Says President Will Veto Senate’s Attempt to Kill New Cyber Breach Reporting Rules
The Office of Management and Budget says that the administration strongly opposes Senate Joint Resolution 50, introduced last year by Senator Thom Tillis (R-NC). That bill would kill the new SEC breach reporting rules approved last July.
The Senator says that the rule should come from CISA.
This, despite the fact that CISA does not make rules binding on private companies, even though legally they could do that in a few situations.
The SEC’s rule requires public companies to report incidents within four business days once they decide it is material to investors.
The Register asked Tillis’ office to explain their reasoning, but they have not. This is an election year, so that might factor into the bill.
The SEC requires that the breach forms, their form 8-K, be public. Companies, understandably, would prefer not to air their dirty laundry (AKA breach details) in public. That is not good for stock price or consumer confidence.
Tillis did say, when a House companion bill was introduced also last year, that it was over-regulating and an unrealistic timeline. Somehow, he says, that will make markets less safe.
BUT, Tillis should be careful what he asks for.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in 2022 but only applying to critical infrastructure, gives companies a much more realistic timeline to report breaches of seventy two hours. One theory is that CIRCIA requires the normal “notice of proposed rulemaking” process which will likely delay any implementation for many years, allowing companies to avoid having to report their breaches and likely watering down any requirements through the NPRM process. In addition CISA’s proposed rule only applies to critical infrastructure and would likely allow companies to report to CISA in secret.
But critical infrastructure is a pretty broad term, potentially including chemical, communications, dams, defense, energy, financial services and several other industry sectors.
The SEC’s rule is designed to protect investors; CISA’s rule would not protect investors since they would never know about the incidents, assuming they are allowed to report the breaches secretly as is currently expected.
This is a stay tuned situation. There is no clue whether this will even make it out of Congress.
Credit: The Register
by 