The SEC’s cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.
A compromise between the supporters and opponents of the SEC proposal might be possible: one in which companies are still required to report major cyber incidents, but the reports are not disclosed publicly until the issues have been mitigated, Rapid7’s Geiger said. “But I’m not confident that’s going to occur because so much of the dialogue has been black or white: full transparency, or not having the [requirements] at all,” he said.
Besides the SEC and CISA, nearly two dozen other federal agencies have their own proposed or finalized requirements around the reporting of cyber incidents, according to a tally by R Street. Plus, new ones keep surfacing at the federal level, while many U.S. states have breach-reporting requirements as well.