The SEC’s cyber disclosure rule underscores the need for regulatory harmonization post-Loper Bright. CISA’s rules offer a solution.
On Nov. 6, the Transportation Security Administration (TSA) proposed a new cyber rule, with the goal of preventing attacks like the 2021 Colonial Pipeline ransomware incident that caused gas station shortages up and down the East Coast. Among other requirements, the proposed rule would mandate reporting cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
TSA’s new rule may represent a marked improvement over the patchwork of unharmonized federal cybersecurity regulations that have proliferated over the past half-decade. For example, the Securities and Exchange Commission (SEC) finalized a rule last summer requiring public companies to disclose major cybersecurity breaches or incidents to the public via filing of a Form 8-K. While the rule is supposed to inform investors of cybersecurity breaches that may impact the financial status of publicly traded companies, the disclosures have not had the intended effect. Instead, misapplication of the disclosure requirement may be undercutting the higher order goal of incentivizing better cybersecurity practices within companies—which smart, harmonized government regulation could accomplish.
The SEC rule shows that the proliferation of mandatory federal cybersecurity measures can be counterproductive. They overburden companies by requiring application of competing definitions, timelines, and standards to the same event—without providing much useful information to the public. And, in some cases, they may have the unintended consequences of encouraging over-disclosure to the detriment of U.S. national security.
Congress’s passage of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) in 2022 marks a key turning point. CIRCIA gave CISA leadership over the Cyber Incident Reporting Council, which is tasked with “coordinating, deconflicting, and harmonizing Federal incident reporting requirements.” The council thus has clear statutory authority to scrutinize the SEC and other agencies’ rules and meld them in ways that continue to protect investors and consumers without the current unintended consequences. In addition, CIRCIA’s grant of clear rulemaking authority to CISA for cyber incident reporting for critical infrastructure entities could enable it to create a unitary reporting system, improving the environment for both businesses and national security.
Finally, CISA’s rulemaking authority could also be used to fill in gaps that arise if other agencies’ cyber reporting regulations are struck down in the post-Chevron legal environment, following the Supreme Court’s Loper Bright decision. The Court held that federal judges were no longer required to defer to agency interpretations of ambiguous statutes; the SEC’s cyber disclosure rule is particularly vulnerable to challenge on these grounds.
Conflicting Requirements and Overburdened Companies
Companies must comply with numerous disclosure requirements should they face a cybersecurity incident. The Federal Communications Commission (FCC), the Federal Trade Commission, and federal banking agencies (specifically the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency) each have their own notification requirements for cyber incidents—to list just a few. And in late 2023, the SEC also began to enforce the cyber disclosure rule for public companies.
These rules create a patchwork of inconsistent and potentially conflicting requirements with which companies must comply—and they apply differently based on what industry or content was the subject of the incident. For example, at the same time the SEC finalized its rule, the FCC modified its 16-year-old data breach notification regulations to expand the definition of “breach,” cover additional types of information, and add a requirement that companies notify the FCC about breaches, in addition to law enforcement and (sometimes) consumers.
If a company is also subject to the SEC’s jurisdiction—and many are—the SEC’s rule requires a competing set of considerations. First, the SEC’s rule covers “cybersecurity incidents,” which are defined as “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” Contrast this with the FCC’s “breach” definition, which applies to “any instance in which a person, without authorization or exceeding authorization, has gained access to, used, or disclosed covered data.” This includes inadvertent access, use, or disclosure of covered data.
Next, under the SEC’s rule, a registrant must determine if the incident is material—in other words, if there is a substantial likelihood that a reasonable shareholder would consider it important to their investment decision. That determination must be made “without unreasonable delay” and by consulting several factors the SEC prescribed. These factors differ from the FCC’s. If the incident is determined to be material, then the company must disclose the incident and its “reasonably likely material impact” in an 8-K filing within four business days of that determination. That timeline is different from the FCC’s, which is seven days.
Differing definitions, differing factors to determine reporting thresholds, differing timelines—these complexities are standard for companies subject to multiple regulators’ cyber jurisdictions, making compliance difficult and costly and underscoring the need for harmonized coverage and requirements set by an authorized entity. Notably, SEC Commissioner Hester Peirce dissented from the agency’s proposed rule in 2022, stating: “My primary concern … is that we are unduly dismissive of the need to cooperate with, and sometimes defer to, our partners across the federal government.” Such deference could have been given to the broader regulatory objectives outlined in the National Cybersecurity Strategy, which predated the finalization of the SEC rule and makes CISA the “national coordinator” in charge of cyber incidents and harmonizing regulatory requirements, as described above.
The Rules Fail to Provide Significantly Useful Information to the Public
Focusing on the SEC’s rule, the purpose of mandatory disclosure—especially in the context of an ongoing cybersecurity incident—is to offer investors timely information that could affect the performance of a company’s stock and therefore their decision to invest. However, since the rule’s implementation, the disclosures it mandates have not significantly impacted the market. For the most part, disclosing companies’ stock prices have barely moved.
Investors may be shrugging off these reports, seeing them as another layer of regulatory noise rather than valuable information. This argument is supported by the fact that companies typically make several amendments to their cyber-related 8-Ks as an incident evolves. Further, to be perceived as compliant, many companies (for example, Live Nation) are filing 8-Ks about cyber incidents under a catch-all “other event” 8-K filing rule when incidents are not yet determined to be material. And in perhaps the most needless instances, companies are filing 8-Ks about immaterial incidents. For example, under the new cyber rule, AT&T filed an 8-K on July 12, 2024, concerning recently discovered data exfiltration. Under a heading labeled “Material Cybersecurity Incidents,” AT&T stated, “As of the date of this filing, this incident has not had a material impact on AT&T’s operations, and AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.” These behaviors cloud the true impact of an initial filing, contribute to alert fatigue, and obscure a company’s true cybersecurity risk to the ironic detriment of investors—and perhaps also consumers. The nonmajor market impacts may continue if investors assume most 8-Ks filed under the cyber disclosure rule are immaterial or premature. This, in turn, could increase a company’s cyber risk tolerance and disincentivize its investment in appropriate cybersecurity protections.
In recognition of these problems, the SEC has issued clarifications to the rule to attempt to stem premature disclosures and disclosures of immaterial incidents. However, they have more recently undercut these same clarifications by imposing penalties on four companies for past disclosures deemed incomplete or misleading. While these disclosures were made prior to the new rule’s finalization, these proceedings may chill the SEC’s attempts to quell unnecessary reporting and exacerbate immaterial incident disclosure—a fact noted by Commissioners Hester Peirce and Mark Uyeda in their dissent regarding the recent proceedings.
Indeed, many investors understand that cybersecurity issues are inevitable. They may view a cybersecurity incident as one potential risk among many when choosing to invest. And unless a breach is catastrophic or happens to a company whose core business is providing information technology or cybersecurity services, many investors will see the fundamentals of a business as unchanged after cyber intrusion. This is what the materiality threshold is supposed to represent. But many companies, anxious that their definition of “material” may not match up with the SEC’s—and therefore potentially warrant an enforcement action—have been erring on the side of over-disclosure. Thus, both the timing and actual determination of materiality can be arbitrary and make it difficult for companies to provide investors with meaningful information through compliance with the SEC rule.
The Rules May Undercut National Security Objectives
The SEC’s rule has raised significant concerns about national security and the unintended consequences of publicly sharing sensitive breach information. Though the disclosure rule was amended after the comment period to reduce the amount of detailed information requested, all public companies—including those with systems, intellectual property, or other information of strategic importance to U.S. national security—must still file an 8-K following a material cyber incident unless the information is classified. The rule does include the possibility of a brief delay granted by the Department of Justice upon written request (30 days initially, up to 120 days in the most serious cases) if filing would jeopardize public safety or national security.
Even with this delay, however, the public nature of the 8-K filing process could provide the investing public—and malicious actors—with clues about the extent of companies’ involvement in national security matters that they would not otherwise have. Presumably, much of what companies provide to the government for national security purposes is not publicly disclosed. Other than perhaps knowing companies have been awarded government contracts, most investors cannot logically be investing based on knowledge of a company’s involvement in national security matters. Therefore, if there is a cyber incident at a company and it impacts national security, it would not have previously materially affected a reasonable investor’s decision to invest; now, disclosure could reveal sensitive information and unduly impact companies by empowering investors with information they would not have previously been privy to. This is the case even in the event of a granted delay.
We may be observing this dynamic play out with the recent revelations of malicious cyber activity by the Chinese-linked Advanced Persistent Threat (APT) Salt Typhoon. The Wall Street Journal reported on Sept. 26 that Salt Typhoon penetrated the networks of several U.S. broadband providers, including AT&T, Lumen Technologies, and Verizon Communications, which the federal government leverages for wiretapping requests. As of this writing, none of the three named companies appears to have filed an 8-K regarding its individual breach, despite the incident likely being material to each due to the scale and severity of the adversarial activity. If a temporary national security exemption has been granted to these entities, yet the investing public (and indeed, the world) knows about the breaches anyway, then the SEC’s investor-focused cyber disclosure rules and the possible filing delays are moot at best. At worst, they undercut their ostensible purpose by providing little value to investors and letting observers—including adversaries—know or confirm which aspects of which companies are likely of national security importance. Notably, each of these telecommunications entities will also be subject to the FCC rules described above, further illustrating that regulatory harmonization is far from complete under the current regimes.
The four-day disclosure timeline in the SEC’s rule may also, in some instances, prevent the early government involvement required to request and have a national security exception granted. The FBI has stated that any public company that discovers a cyber incident that may risk national security or public safety—if disclosed—should summon agency personnel onsite to assess whether the incident qualifies for the exception; this early outreach “allows the FBI to familiarize itself with the facts and circumstances of an incident before the company makes a materiality determination.” Yet many companies have in-house cyber incident response teams that may see government involvement in early incident fact-finding as unnecessary or disruptive to incident containment and recovery, especially if the incident is ultimately deemed immaterial. Thus, well-resourced companies have no incentive to engage with the FBI or CISA until after they have independently made the materiality determination. This dynamic undermines the applicability of the national security exception and risks needless, potentially harmful disclosure.
CISA’s Pending Rules Provide a Better Framework for Companies
The unharmonized coverage and requirements under the existing regulatory environment are particularly problematic when compared with CISA’s current rulemaking under CIRCIA. CISA’s rules—which in their proposed form would mandate cyber incident reporting to CISA for critical infrastructure entities—will be promulgated under CIRCIA’s clear authority and are a better-suited regulatory vehicle than those we’ve described because both they and the overseeing agency are specifically created for cybersecurity protection. CISA has the expertise and ability to use the information from entities’ reports effectively. It will serve as a central clearinghouse and track patterns in reported cyber incidents to respond to threats and allocate resources, without wading into debate over whether disclosures are in investors’ interest to know.
And if it is in the public’s interest to be informed of a breach, there are already other governmental and civil society avenues for public disclosures and analysis outside of regulatory rules. For example, in 2023, Microsoft unwittingly published an outdated, but still valid, signing key online, which allowed Chinese-linked threat actors to forge authentication tokens that enabled them to obtain access to the email accounts of major U.S. government officials ahead of an official visit to China. After this security failure was publicly analyzed by the CISA-appointed Cyber Safety Review Board (CSRB) in a March 2024 report, Microsoft publicized its reorientation to a security-first approach. This strategy saw the company reorganize its product development process to prioritize secure-by-design principles and link compensation to security performance, among other measures recommended by the CSRB.
External pressure and reputational damage from a knowledgeable and effective entity with proper authority can effectively compel companies to invest in better cybersecurity for the public good; where companies are not incentivized by their own business interests to improve their security practices proactively, smart, harmonized government regulation and public venues like the CSRB can be leveraged to encourage appropriate cybersecurity protections and disclose material or other serious failings impacting investors, consumers, and the general public.
The Existing Agency Rules Are Vulnerable to Challenges Under Loper Bright
Existing cyber incident rules may be vulnerable to legal challenges after the Supreme Court’s overturning of Chevron deference in its 2024 Loper Bright decision. Judges are now explicitly required to “exercise their independent judgment in deciding whether an agency has acted within its statutory authority.” Previously, Chevron allowed agencies to interpret statutes broadly, so long as their interpretations were “reasonable.” But post-Chevron, courts are less likely to grant agencies deference when they overstep their statutory bounds.
The SEC’s 8-K cyber incident disclosure rule may be such an instance. The rule was promulgated under the SEC’s authority to prescribe “such rules and regulations as the Commission may prescribe as necessary or appropriate for the proper protection of investors and to insure fair dealing in [securities].” In isolation, this seems like broad authority. But it is cabined by the rest of the statute, which focuses on financial statements, valuation, and corporate law matters. And if one examines the other types of 8-Ks that the SEC has required through its rulemaking, it is clear the cyber reporting requirement is an outlier. The other reporting requirements relate to major financial or corporate law events: material definitive agreements, bankruptcies, acquisitions, changes in control of a registrant, etc. The only required 8-K that is not connected to one of these topics is the reporting requirement for mine safety shutdowns and violations; however, that reporting requirement was created by a provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, which specifically authorized such 8-Ks.
Therefore, the cyber incident reporting rule falls far afield of the SEC’s delineated power. And if the SEC’s other 8-K reporting requirements can be used as a yardstick, then courts—which will likely see the SEC’s prior bounded interpretation as the broadest possible interpretation—will almost certainly find the cyber incident reporting rule a step too far under Loper Bright.
Even apart from Loper Bright, the judicial branch has already seemed skeptical of the SEC’s ability to regulate companies’ cybersecurity practices. In dismissing much of the SEC’s case against the SolarWinds chief information security officer for the 2020 Orion software supply chain attack, Judge Paul Engelmayer found that the SEC’s jurisdiction over “internal accounting controls” did not extend to SolarWinds’s cybersecurity practices and deficiencies. While this case did not directly pertain to the SEC’s disclosure rule because it arose before the regulation was finalized, it is possible that this determination could spell trouble for the SEC in future cases.
Harmonizing Cybersecurity Incident Disclosure
To the extent the SEC’s cyber incident reporting rule and other, similar regulations are found to exceed existing statutory authorities, CISA can engage in further rulemaking or make recommendations to Congress to authorize streamlined cybersecurity disclosure requirements. In anticipation of challenges to mandatory cyber disclosure rules aimed at informing investors and consumers in the post-Chevron era, CISA can step in proactively under its clear authorization to review and harmonize the existing rules. The Cyber Incident Reporting Council can coordinate stakeholders to devise a new, coherent regulatory environment that reduces compliance burdens, maintains a balance between the public’s interest in breaches and protection of critical systems, and incentivizes companies to make appropriate investments in cybersecurity controls.
In short, the current proliferation of mandatory federal cybersecurity rules overburdens companies without providing useful information to the public—and, in some cases, may even be detrimental to the United States’s national security mission and agencies. CISA’s clear statutory authority under CIRCIA provides a firm foundation for a singular, well-regulated cyber rule and for directing meaningful changes to harmonize other rules, especially in light of potential challenges to other agencies’ rules under Loper Bright. CISA’s forthcoming rules should stand, even if others fall.
– Francesca Lockhart, Karl Lockhart, Published courtesy of Lawfare.