In this opinion article, the former director of the US Cybersecurity and Infrastructure Security Agency (CISA) comments on the Securities and Exchange Commission (SEC)’s announcement of cybersecurity regulations, setting a requirement for companies to report incidences and governance. While the aim for the new regulations is to achieve more transparency, the author believes that they are redundant and misdirected. With these new rules, companies are required to report incidents to both the SEC and the CISA, which creates potential for conflicts between the agencies in their rulings. The SEC’s requirement for incident reporting also means companies may have to announce vulnerabilities before there are fixes, allowing attackers to inflict more damage. The new set of regulations increase the confusion that the government has been trying to address with CISA: Which agency should be reported to for cyber issues? The CISA, SEC, FBI, NSA, etc.? To address this confusion, the author recommend the following changes: SEC should “defer to Congress and CISA for future cyber security mandates”, Congress should have committees dedicated to cybersecurity, and Congress needs to be vigilant in keeping regulation on technology liabilities up to date. In the end, Congress needs to take control and establish the proper jurisdictions for the agencies to make cybersecurity policy consistent.
