HIMSS Joins Others in Urging SEC to Allow More Time for Industry Input on Proposed Cybersecurity Rules

HIMSS joined more than 30 other organizations across various industry sectors to urge the Securities and Exchange Commission (SEC) to collect further industry input on its proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Indecent Disclosure.

The group believes the proposed rules could undermine cybersecurity by forcing companies to disclose incident information before vulnerabilities are fixed. This would give cybercriminals and state-backed hackers a trove of data to further victimize companies, harm law enforcement investigations and disrupt public-private responses to cyberattacks.

Along with its partner organizations, HIMSS submitted a letter noting that although the SEC’s proposed rules focus on increasing investors’ knowledge of companies’ cybersecurity postures, it departs significantly from the Commission’s 2018 interpretive guidance, which effectively balances investor interests with companies’ cybersecurity disclosure obligations.

HIMSS and its partners urge the Commission to consider the following points before finalizing the proposal:

• The disclosure of cybersecurity incidents should accommodate temporary delays for law enforcement and/or ongoing investigations.
• The rulemaking should not override laws and regulations related to cybersecurity and protected disclosures.
• The practicality and value of disclosing “aggregate” cybersecurity incidents are unclear.
• The unprecedented micromanagement of companies’ cybersecurity programs is misguided and would not necessarily protect investors.
• Agencies, including the SEC, need to prioritize streamlining reporting regulations.
• Company boards should prioritize managing cyber risks but not through SEC mandates requiring cybersecurity “expertise.”
• The term “cybersecurity incident” should be narrowed to correspond with significant incidents that do actual harm and existing definitions.

The letter discusses the belief that companies must strike a balance between transparency and protecting sensitive information related to cybersecurity. HIMSS and the other signing organizations, are willing to work with the SEC to revise the proposed rules so that investors can be provided with timely information about potential cyberattacks while mitigating the risks associated with disclosing sensitive cybersecurity information.

Read the full letter to the Securities and Exchange Commission.