President Biden is warning Congressional Republicans that he will veto any attempts to overturn the Securities and Exchange Commission’s (SEC) new requirement for public companies disclosing cybersecurity incidents.

In a brief policy statement this week, the White House said public companies not reporting cyberattacks that disrupt their operations not only harms investors who should know about incidents that could hurt their investments but also encourages more attacks.

“Ransomware attacks are up 45 percent year over year. The lack of transparency by public companies about cyber incidents impacting their operations and data is fueling increasing cyberattacks across all sectors and all industries,” the Office of Management and Budget wrote in the statement. “Greater transparency about cyber incidents, as required in the SEC’s rule, will incentivize corporate executives to invest in cybersecurity and cyber risk management.”

Biden’s veto threat comes as SJ Res. 50, introduced up by GOP senators in November 2023, and a companion resolution drawn up by Republicans in the House of Representatives wend their way through Congress.

Both look to scuttle the new rule, which went into effect in December and requires publicly traded companies to report a breach within four days of the effected company determining the incident being “material.” As noted by giant consultancy PcW, with the disclosure rule, “the SEC puts the onus on companies to give investors current, consistent and ‘decision-useful’ information about how they manage their cyber risks.”

A Controversial Rule

The rule, when introduced earlier last year, was met with both praise and criticism. Some said it was important to ensure that both customers and investors get as much clarity as possible about cyberattacks, with John Pirc, vice president at cybersecurity firm Netenrich, telling Security Boulevard as the rule went into effect that “by mandating timely disclosure of material cybersecurity incidents, and the requirement for detailed annual reporting on risk management strategies, these rules bring clarity and standardization to how public companies report cybersecurity issues.”

Others complained that the rule will be expensive for companies to comply with and could open them up to more risks by forcing them to disclose information about both the attack and how the company responded.

SEC Accused of Overreach

The lawmakers pushing the Senate and House bills called the rules an overreach by the SEC and argued that it infringed on the responsibilities of the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“Congress has been clear in its intent to harmonize federal incident reporting requirements, a position that the Biden Administration has emphasized as well,” Rep. Andrew Garabino (R-NY), one of the House bill’s sponsors, said in a statement when introducing it. “Despite this, the SEC took it upon itself to create duplicative requirements that not only further burden an understaffed cybersecurity workforce with additional and unnecessary reporting requirements, but also increase cybersecurity risk without a congressional mandate and in direct contradiction to public law that is intended to secure the homeland.”

Sen. Thom Tillis (R-NC), the sponsor in the Senate, said in a statement that “as we have continuously seen [Chair] Gary Gensler’s SEC is doing their best to hurt market participants by overregulating firms into oblivion.”

That said, on the same day that the White House put out its statement, Tillis reportedly said he wouldn’t ask for a vote on the resolution, given Biden’s vote threat.

“I’m not here for a show vote,” Tillis said, according to news site Politico Pro. “Even if it could pass, it’ll get vetoed.”

At this point, he is hoping the introduction of SJ Res. 50 and the arguments from lawmakers about their objections will convince Gensler “that they need to reopen it. They need to get additional comments. They need to fix the vulnerabilities.”

Companies Coming Forward

Over the past few weeks, several top-tier companies have reported cyberattacks. Both Microsoft and HPE reported that the Russia-linked espionage group APT29 – also known as Cozy Bear, Midnight Blizzard, and Nobelium) had hacked into their corporate systems.

Others reporting attacks to the SEC include Mr. Cooper Group, Fidelity National Finance, and Johnson Controls International.

It’s unclear if the new disclosure rule influenced the companies’ decisions to report the incidents, though such transparency should be expected now that the rule is in place.