Former stock-exchange security leader praises SEC proposal on cyber incident reporting
The R Street Institute also submitted comments ahead of today’s deadline. The institute is “a nonprofit, nonpartisan, public policy research organization. Our mission is to engage in policy research and outreach to promote free markets and limited, effective government,” the group says on its website.
The R Street cyber and emerging threats team “has significant concerns around the current format of the rulemaking, including several items that must be modified, delayed or removed to ensure that the regulations enhance rather than harm overall security; are interoperable with other state and federal government rulemakings on incident reporting; are reasonable obligations for businesses; and provide useful public information for investors,” the group said in comments to the SEC.
For instance, the proposed “four-business day deadline from the finding of materiality is simply too short for multiple reasons,” it said.
“At this point, we urge a cautious and slow approach to the rollout of this rulemaking, given that the expected costs to business are higher than the currently known benefits for investors,” R Street said. It observed a variety of concerns from industry and others, saying “each of these points above has merit, but the team believes the need to provide greater transparency for investors and the public is also important.”
R Street said, “We are confident that the spirit of the S.E.C.’s rulemaking can be modified to address these concerns and blunt the worst of them. We do suggest, however, that the S.E.C. delay finalization of the proposed rule for some months to better understand the implications on business and on security, and that, when implemented, there is a delayed uptake process or grace period to allow businesses to prepare themselves for the new requirements.”