SEC Breach Rules to Stay, For Now

Posted on Friday, Feb 9, 2024 by Ned Bellavance

Featured in this episode of Tech News of the Week

In July of last year, the SEC changed their breach disclosure rules to require all publicly traded companies to report materially significant cyberattack breaches within four days. Four days. That’s a pretty big change from, “whenever you get around to it.”

The SEC’s primary concern is protecting investors, and we’ve certainly seen how a breach could impact a company’s bottom line. Business’ primary concern is to not be inconvenienced by the SEC, so predictably lobbyists working on behalf of publicly traded companies have been pushing to repeal the SEC decision through law.

There are matching bills working their way through the house and senate that would nullify the SEC rule. Now I’m not one to read bills because they are 1) long, 2) bloviated, and 3) like, a lot of work. But this one is less than a page in length.

Here’s the meaty part, “That Congress disapproves the rule submitted by the Securities and Exchange Commission relating to Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure and such rules shall have no force or effect.” That’s legalese for, nuh-uh.

Fortunately, the Biden administration has pledged to veto any such bill should it manage to pass muster. That’s legalese for, ya-huh. There is unlikely to be enough support to overrule a veto, so it appears that the rule will stand.

At least until 2025, when the world will plunge into chaos and the four horsemen of the apocalypse will appear astride their bloody beasts to ravage the world and rent us asunder. At least that’s what my Magic 8 ball told me and it hasn’t steered me wrong yet.