The SEC: The Elephant in the New National Cyber Strategy

March 27, 2023

The Biden Administration’s new National Cybersecurity Strategy is an important first step toward improving our nation’s cybersecurity. This strategy, unlike the numerous others that have been unveiled over the past 20 years, adopts ISA’s core argument that we cannot create a sustainably secure cyber system until we rebalance the incentives for cyber-attacks.

ISA is not alone in our positive reaction to this strategy. The Biden Administration is finally calling for what we in the industry know to be needed: a new model of cybersecurity that emphasizes the need for market incentives in strengthening our cybersecurity. This strategy points away from entities that suffer from cyber-attacks, instead focusing on the providers of IT equipment.

This move to focus on rebalancing incentives is a big idea.  While focusing on providers – the entities that are functionally “making the system” portends to be a more effective way to make system itself more secure, it is not an easy task.  While ISA welcomes the emphasis on security, we also need to maintain our focus on productivity.  The evolution of modern technology, largely built by these providers, is also the stimulus to the vast majority of economic, social and national defense progress we have accomplished during the digital generation. We will need to both create a more secure system and simulation sly maintain our nation’s growth and productivity. 

Making this task even more difficult is the fact that, unlike virtually every other major issue from climate change to geo-political conflict — there is not currently a macro-economic model for cybersecurity.  ISA has proposed to CISA and the White House that such a model needs to be created and we need to get our best economic minds to work on that aspect of the problem.

And then there is the real elephant in the room – the SEC. Contrary to the President’s call for a new model the SEC’s proposed rules which were issued nearly a year ago – long before the new strategy was unveiled – doubles down on the old blame the victim approach. If this rule follows the path suggested in the Commission’s NPRM it threatens to undo all of this positive momentum from the new strategy.

According to SEC Chair Gary Gesler, the proposed rules “would strengthen investors’ ability to evaluate public companies’ cybersecurity practices and incident reporting.” Like security, protecting investors is a worthy goal.  The issue is not should investors be protected but what is the best way to protect them while not undermining security and productivity.

Contrary to its intentions, the proposed SEC rules threaten to hamstring the Biden Administration’s cybersecurity strategy. In fact, it would add a whole new layer of compliance requirements at the same time CISA is engaged in an effort to eliminate this sort of regulatory redundancy. CISA recognizes that regulatory redundancy is diverting scarce cybersecurity resources and thus adding to the insecurity of the system – all to the detriment of the same investors the SEC is aiming to protect.

Rather than relying on punitive victim blaming, the SEC needs to recognize that we, industry, citizens, and government are on the same team. Cybersecurity is not a vacuum, and we cannot continue to work against one another. This SEC proposal undermines this concept by imposing a 48-hour reporting window after a cyber incident. Not only does this significantly exacerbate the problem of regulatory conflict and duplication, but it would also impede cyber first responders from focusing their valuable time and resources on remediation and recovery from the incident.

The Biden Administration’s new strategy recognizes that we need the whole of government and industry to work collaboratively to build a sustainably secure cyber system. We must act now to capitalize off this shift in understanding.

Just as the Biden Administration has developed a new model for creating a sustainable system of cyber security the SEC needs to evolve a new model to protect investors.  Fortunately, through an extensive and collaborative process the National Association of Corporate Directors together with the ISA and CISA and the FBI have crafted such an approach in the new edition of the Cyber Risk Handbook for Corporate Boards which was published last week.  In her comments in presenting the new handbook CISA Director Jen Easterly noted that “not only was it chock full of useful and practical steps for organizations to take but it works”

Clearly a system that works is preferable to an outdated model that clearly doesn’t work. In our next series of posts, we will explore how this new model can effectively protect consumers and at the same time promote the new Biden Administration’s strategy.