The U.S. Chamber of Commerce (“the Chamber”) writes regarding the Securities and Exchange Commission’s (the Commission) proposed rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Proposed Rule). The Chamber appreciates the additional opportunity to comment.
As the Chamber previously warned, the speed at which the Commission has been seeking to push through a huge volume of proposals has risked depriving even the Commission’s own staff of the time needed to develop thoughtful, properly tailored rule proposals. The Chamber’s warnings have borne out. The Commission recently reported that its own systems have been unable even to capture all of the public comments the Commission has received, let alone facilitate a thorough review of those comments. Ironically, the rule in question – the cybersecurity disclosure rule – would mandate public companies to disclose certain cyber incidents within four days of those events occurring; yet in the case of the SEC’s “technical glitch,” the SEC is only now informing the public of a major technological problem that has plagued its internet comment form for at least 18 months. This delay in identification and reporting of the problem reflects a clear failure of internal processes within the SEC.