Representatives Andrew Garbarino (R-NY) and Thom Tillis (R-NC) introduced a joint resolution on November 14, 2023 that, if passed, would overturn the Securities and Exchange Commission’s (SEC) recent " Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" final rules.

SEC Rules

ISC2 and other industry players are concerned by the new SEC rules because they leave considerable ambiguity, particularly regarding the definition and measure of risk. They also fail to make a definitive ruling on cybersecurity skills and experience requirements for public company boards. Further the new rules in their current form remain open to broad interpretation and variance from one industry to another and could expose organizations and their cybersecurity teams to added risk.

What members should know

It is difficult for CRAs to pass due to the need for approval from both houses and the President. Under the present administration seven CRAs have been introduced and all vetoed. Therefore we do not anticipate that this CRA will be successful. However it does point to a growing body of opposition to the SEC Ruling and ISC2 will continue to call for greater clarity on the SEC rules. For now, our guidance to members remains the same. Members should periodically review incident reporting processes against the SEC ruling to understand in advance what materiality means for their organization, and factor incident risk reporting into their processes. There are also several ISC2 resources that can help, listed here:

Looking to grow your knowledge in the governance, compliance and incident response space?

Consider the Skill Builder on GRC which will provide an immediate opportunity to learn and develop additional competencies, making compliance and comprehension of regulation changes easier. This educational asset if free for ISC2 members and offered at U.S. $19 for non-members.

ISC2's Certified in Governance, Risk and Compliance (CGRC) certification offers a long-term path for skills development and competency in the risk management process aspects of the SEC rules.

Subject matter experts discuss Your Window into Governance, Risk & Compliance during a 60-minute panel discussion at ISC2 Security Congress 2023.

ISC2 previously hosted a webinar on Board Level Reporting Metrics – Getting the Conversation Right that focused on risk profiles and the metrics used to communicate with the Board of Directors to articulate risk.

ISC2 hosts regular panel discussions on hot button insecurity topics featuring thought leaders and visionaries from the industry who answer questions from the audience. Setting up an account is easy and you can be notified when ISC2 has an upcoming topics.