While the Securities and Exchange Commission has proposed stringent rules around cyber-incident reporting that could impact manufacturers negatively, the Cybersecurity and Infrastructure Security Agency has taken a much more collaborative approach, according to Protocol.
A tale of two agencies: Recently, the SEC proposed rules that would require companies to report cyber incidents to the public within four business days, among other provisions.
- The NAM has argued that these moves will lead to confusion and uncertainty. Overall, the SEC’s approach could harm transparency and make manufacturers less secure by requiring them to divulge information about ongoing security threats—potentially providing a roadmap to hackers.
- Learn more about the NAM’s efforts to protect manufacturers from onerous requirements here.
At the same time, CISA has been putting together its own set of cyber-incident reporting rules that are separate from the SEC’s, and CISA’s approach to the rulemaking process has been more collaborative.
- “The Cybersecurity and Infrastructure Security Agency has brought a welcome change in approach compared to the way most federal agencies have engaged with companies around security issues in the past, security professionals told Protocol.”
The results: The difference in styles has led to some different results in the two agencies’ proposals.
- For example, while CISA regulations suggest that ransomware payments made by covered companies would need to be reported within 24 hours, the details of those cyberattacks would be anonymized by CISA before any public disclosure—unlike disclosures made to the SEC.
The NAM’s take: “The anticipated rulemaking associated with the Cyber Incident Reporting for Critical Infrastructure Act, signed into law in March 2022, will be an important step to address parts of the law left to CISA to determine and act upon,” said NAM Vice President of Infrastructure, Innovation and Human Resources Policy Robyn Boerstling.
- “For manufacturers who are part of the nation’s critical infrastructure, this regulatory action offers the opportunity to provide input around key definitions and required actions so that the law’s requirements are well-defined and understood by all critical infrastructure stakeholders.”
- “A forthcoming Request for Information from CISA will be manufacturers’ next opportunity to provide input.”
Get help: NAM Cyber Cover was designed specifically to provide enhanced risk mitigation and protection for manufacturers and their supply chains. Find out more at www.namcybercover.com.