The U.S. Chamber of Commerce (the “Chamber”) submits this letter in response to the recent rule adopted by the Securities and Exchange Commission (“SEC”) regarding cybersecurity incident reporting and cybersecurity practices by public companies (the “Rule”).
Cybersecurity is a priority for the Chamber and its members. While the Chamber appreciates some of the changes made to the March 2022 proposal, the SEC was dismissive of important issues raised by the Chamber and others.2 The Rule creates procedures that are vague and unworkable, ignores the role of national security agencies, and establishes conflicting obligations on the part of the issuer leading to unclear enforcement standards. Unfortunately, many of these issues could have been addressed through historic deliberative processes used by the SEC for decades—such as roundtables and more extensive comment periods.