While advocates for more transparency and timely disclosures in response to data breaches were generally pleased with the new disclosure rule by the SEC that went into effect on December 18, not everyone was pleased.
In November 2023, Senator Thomas Tillis [R-NC] introduced bill S.J.Res.50 – A joint resolution providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Securities and Exchange Commission relating to “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure”. Since then, the resolution, which was co-sponsored by Senator Katie Boyd Britt [R-AL], has acquired seven more co-sponsors. All of the co-sponsors are Republican.
The text of the resolution reads:
Resolved by the Senate and House of Representatives of the United States of America in Congress assembled, That Congress disapproves the rule submitted by the Securities and Exchange Commission relating to “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” (88 Fed. Reg. 51896 (August 4, 2023)), and such rule shall have no force or effect.
On January 31, The White House issued the following statement:
The Administration strongly opposes passage of S.J. Res. 50, a joint resolution to
disapprove of the SEC rule relating to informing investors about cybersecurity incidents
and establishing uniform standards for corporate disclosures for oversight and
governance of cyber risks.
Ransomware attacks are up 45 percent year over year. The lack of transparency by
public companies about cyber incidents impacting their operations and data is fueling
increasing cyberattacks across all sectors and all industries. Greater transparency about
cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to
invest in cybersecurity and cyber risk management.
Moreover, publicly-traded companies have a fiduciary duty to inform their investors of
material cybersecurity incidents—as they do for all adverse events—that could be
reasonably expected to affect corporate operations, brands, and share prices. Reversing
the SEC’s rulemaking would not only disadvantage investors who deserve to have a
clear understanding of the cyber risk underlying their investment but would also cause
companies to undervalue investments in cyber programs to the detriment of our
economic and national security. The Administration believes these SEC disclosure
requirements provide needed transparency to protect investors and incentivize
cybersecurity investment.
If the President were presented with S.J. Res. 50, he would veto it.