New cybersecurity rulings due to come into full force less than a month from today are being blocked in the US Congress and the House of Representatives. The new rulings include the mandatory reporting of any ‘material’ cyber-attack within four working days and were drawn up by the Securities and Exchange Commission (SEC).
But, according to a statement issued by Congressman Andrew Barbarino, Chairman of Homeland Security’s Cybersecurity and Infrastructure Protection Subcommittee, and Senator Thom Tillis: “This cybersecurity disclosure rule is a complete overreach on the part of the SEC … also increasing cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland.”
“[The] SEC is doing their best to hurt market participants by overregulating firms into oblivion,” says Senator Tillis.
Christopher Roberti, Senior Vice President for Cyber, Space, and National Security Policy at the U.S. Chamber of Commerce, also echoed fears voiced in Congress that the SEC rulings would be so onerous as to inhibit best cybersecurity practices.
SEC rules could interfere with law enforcement
“The new cyber disclosure rule could force important information to be reported before the problem is fixed and could interfere with the efforts by law enforcement and intelligence agencies to stop attackers,” says Roberti.
“We believe there are better ways to promote transparency, protect investors, and mitigate contagion risk than by publicly sharing detailed vulnerability information with criminals and hostile nation states while remediation is ongoing,” adds Heather Hogsett, Senior Vice President of Technology and Risk Strategy for BITS, the technology policy division of the Bank Policy Institute.
A Congressional Review Act (CRA) resolution to overturn the Securities and the SEC’s cyber disclosure rule filed this month comes hard on the heels of news that organized cybercriminal groups are already beginning to weaponize the soon-to-come-into-force SEC rulings. Ransomware group AlphaV, for example, even had the gall to report one of their victims to the SEC for tardy reporting of a ransomware attack AlphaV had themselves instigated.
This could point to a coming trend where cyber criminals use the stringent new SEC rulings as a way of exerting even further pressure on non-compliant victims, appearing to vindicate fears now being voiced in Congress.
