February 1, 2024 at 12:19PM
The Biden administration strongly opposes Senate Joint Resolution 50 and House Joint Resolution 100 that seek to nullify the SEC’s strict data breach reporting rule. The administration argues that the SEC rule is vital for transparency and incentivizing corporate investment in cybersecurity. However, there is disagreement among lawmakers regarding the appropriate authority for cybersecurity reporting.
From the provided meeting notes, here are the main takeaways:
1. The Biden administration strongly opposes the undoing of the Securities and Exchange Commission’s (SEC) strict data breach reporting rule, as stated in a policy statement published by the Office of Management and Budget (OMB).
2. The proposed Senate Joint Resolution 50, introduced by Senator Thom Tillis, and House Joint Resolution 100, introduced by Representative Andrew Garbarino, seek to nullify the SEC rules adopted last year regarding data breach reporting.
3. The Biden OMB emphasized the importance of transparency about cyber incidents and the need for public companies to report such incidents as required by the SEC’s rule, to incentivize corporate executives to invest in cybersecurity and cyber risk management.
4. Representative Garbarino believes that the Cybersecurity and Infrastructure Security Agency (CISA) should handle breach reporting requirements, stating that the SEC’s rule is in direct conflict with congressional intent and creates unnecessary reporting requirements.
5. Despite the belief that CISA is the appropriate agency for handling breach reporting, CISA has yet to pass any rules to do so, even though President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law in March 2022.
6. The FTC and SEC have taken measures to address cybersecurity incident reporting, and there has been a decrease in ransom payments to ransomware operators, attributed partly to the reporting requirements from the SEC and FTC.
7. The OMB expressed concerns that reversing the SEC’s rulemaking would disadvantage investors, undervalue investments in cyber programs, and pose risks to economic and national security.
8. There are concerns about giving the SEC cybersecurity reporting authority, particularly mentioning the agency’s own security vulnerabilities, such as with its Twitter account.
Please let me know if you need further clarification or additional information.