May 09, 2022

WASHINGTON – Today, global tech trade association ITI urged the Securities and Exchange Commission (SEC) to delay implementation of its Proposed Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure to ensure the rule does not undermine cybersecurity and create additional security risks. In comments to the SEC, ITI cautions that the proposed rule could inadvertently expose unmitigated vulnerabilities and conflict with the Cybersecurity and Infrastructure Security Agency (CISA) rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Delaying the implementation of the proposed rule would provide the SEC and stakeholders the opportunity to work through these challenges and allow the SEC the time to coordinate with CISA to deconflict the proposed rule with CIRCIA.

“ITI supports the Commission’s intent to improve investors’ awareness of material cybersecurity incidents and believe that in many instances offering information about cybersecurity incidents and governance procedures can help to improve transparency,” ITI wrote in the comments. “While we understand the objectives of the rule are to improve investor awareness of cybersecurity-related factors, we are concerned that it may in fact serve to undermine cybersecurity if not appropriately calibrated. We encourage the SEC to delay implementation of the proposed rule until CISA has further implemented its own rulemaking pursuant to CIRCIA 2021, so as to have a more fulsome understanding of the cyber incident reporting landscape.”

In the comments, ITI offers perspectives on and recommendations to improve the SEC’s proposed rule, including highlighting its overarching concerns that the rule could serve to undermine cybersecurity and the relevance of “materiality.” In addition to its recommendation to work with CISA to ensure federal coordination to the extent possible, ITI urges the SEC to avoid requiring disclosure of incidents experienced by third-party vendors and include safe harbor provisions for law enforcement, national security, and cybersecurity interests.

Read the full comments here.

Public Policy Tags: Cybersecurity