Stay updated on the latest developments in Cyber Security with our free updates. Subscribe to receive a curated email, the myFT Daily Digest, every morning.
We’ll keep you informed about the most recent news in Cyber Security, including incidents and governance reports, as mandated by the Securities and Exchange Commission (SEC). In light of recent high-profile cyber attacks by Russia, China, and their proxies, it is crucial for companies and government agencies to prioritize discussions about cyber risk and increase transparency. However, while these new regulations have their merits, some additions made by the SEC are redundant and misdirected.
The writer is partner at Krebs Stamos Group and former director of the US Cybersecurity and Infrastructure Security Agency
The Securities and Exchange Commission (SEC) has recently unveiled a highly anticipated set of cyber security regulations that require companies to disclose incidents and report on governance publicly. These rules are a necessary step forward, especially considering the rise in high-profile attacks orchestrated by Russia, China, and their proxies. Such incidents have exposed our reliance on vulnerable tech products, causing concerns within the industry and government.
Increased transparency, prompted by the SEC regulations, is essential for raising awareness across various sectors. In a time when geopolitics and technology are closely intertwined, it is crucial to foster discussions around cyber risk in corporate settings. However, not all aspects of the SEC’s regulations are beneficial.
Specifically, the new incident reporting requirements are redundant and misguided. The Cybersecurity and Infrastructure Security Agency (CISA) was assigned by Congress to develop incident notification regulations for industries last year, establishing CISA as the lead civilian agency for cyber security. As a result, companies are now burdened with the obligation to report incidents to both CISA and the SEC, causing potential inefficiencies and confusion.
Moreover, the SEC regulations encourage premature information disclosure, which can inadvertently assist attackers in evading responders and causing prolonged damage. Companies may be compelled to release information on vulnerabilities before patches are available, potentially leaving customers defenseless against newly empowered attackers.
We are on the verge of a reporting chaos in the cyber security landscape. Due to jurisdictional turf wars and the lack of a unified cybersecurity constituency, Congress is struggling to formulate a clear strategy for improving US cyber security. Leadership remains fragmented, subject to the whims of multiple committees.
Over the past decade, legislators have introduced a patchwork of laws and authorized numerous organizations, resulting in the proliferation of cyber security offices in almost every major executive branch department. This bureaucratic complexity has made collaboration with the government more difficult. It is common to hear questions like, “Who should I contact regarding this issue? CISA, the FBI, the NSA, the Department of Energy, or the White House? Why isn’t there a one-stop shop for cyber issues collaboration with the government?”
My work in 2018 with Congress aimed to establish CISA and create a unified national cyber organizational structure. While progress has been made with CISA’s establishment, a cohesive structure is still lacking.
How can we tackle this challenge? Three key measures are required. First, the SEC should suspend incident reporting requirements and defer to Congress and CISA for future cyber security mandates. The remaining regulations can stay in force, but the SEC should actively seek feedback from the industry on their practical implementation.
Second, Congress should establish select committees on cyber security in both chambers. These committees should have primary jurisdiction over technology risk issues, initially focusing on cyber security but potentially expanding to include artificial intelligence.
Finally, Congress must evaluate liability regimes that hold technology developers accountable for introducing products and services that are secure by design. As we face adversaries determined to breach critical services, it is disconcerting to witness the release of products with fundamental, preventable flaws.
In the long run, the select committees should designate a central civilian agency to lead digital risk management. This agency can be created by repurposing an existing organization like CISA or by forming a new entity that draws on elements from various government agencies. The creation of the Department of Homeland Security following the 9/11 attacks serves as a precedent for successful reorganization that contributes to national security.
It is evident that our reliance on technology is outpacing our ability to address associated risks. Simply expanding government is not the solution. Instead, we need smarter regulations that reduce overlap, conflicts, and counterproductive measures. It is imperative to think beyond incremental adjustments and consider comprehensive solutions.
Perhaps, in its overreach, the SEC has inadvertently provided an opportunity for Congress to reclaim its role and steer national cyber security policy in the right direction.
Denial of responsibility! VigourTimes is an automatic aggregator of Global media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, and all materials to their authors. For any complaint, please reach us at – [email protected]. We will take necessary action within 24 hours.
