Regulatory Reset? U.S. Cyber Incident Reporting Rules Face Congressional Scrutiny

Lawmakers expressed bipartisan support for significantly amending or eliminating some cybersecurity incident notification requirements during a recent hearing of the U.S. House Committee on Homeland Security's Subcommittee on Cybersecurity and Infrastructure Protection. The subcommittee convened its first hearing on March 11, 2025, titled "Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime." The hearing focused on two federal cybersecurity reporting requirements: (1) forthcoming final regulations by the Cybersecurity & Infrastructure Security Agency (CISA) for critical infrastructure; and (2) the Security and Exchange Commission's (SEC) 2023 rule requiring public companies to disclose "material cybersecurity incidents."

Criticisms of CISA's Reporting Regulations

The Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 directed CISA to publish regulations requiring operators of critical infrastructure to report "substantial cybersecurity incidents" within 72 hours and ransom payments within 24 hours. CISA's proposed regulations, which were published in April 2024, received significant industry criticism on various grounds, including that the proposals covered more entities and a broader range of incidents than Congress intended. While many expected CISA's regulations to apply only to specific types of critical infrastructure entities, the CISA proposal applies broadly to any entity in a critical infrastructure sector that meets sector-specific criteria or that exceeds a small business threshold. Critical infrastructure sectors are understood broadly and include "commercial facilities," "communications," "financial services," "healthcare and public health," "information technology," and "transportation systems," among others. Accordingly, the CISA proposed regulations appear to apply to all non-small business in those broad sectors. Numerous companies and industry groups have encouraged CISA to limit the scope of covered entities and covered incidents following a CISA-issued request for information (RFI) in September 2022 and publication of the proposed rules in 2024. The CISA regulations are due to finalized by October 2025.

Multiple lawmakers and witnesses added to these criticisms during the March 11 hearing. For instance, subcommittee chair Andrew Garbarino (R-NY) stated that "the scope of the proposed CIRCIA rule went far beyond congressional intent," and ranking member Eric Swalwell (D-CA) expressed frustration that CISA did not incorporate feedback from the private sector collected in response to the RFI. Rep. Swalwell encouraged CISA to "work quickly to reengage with the private sector and refine the scope of" the regulations. Other criticisms focused on issues such as the potential compliance burdens that the regulations will place on companies precisely at the time they are strained to respond to a serious cybersecurity attack or other incident.

Criticisms of the SEC's Material Cybersecurity Incident Disclosure Rule

Although CISA's regulations received much of the attention during the hearing, lawmakers also were critical of the SEC's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (the SEC Rule). The SEC Rule, which was published in 2023, requires public companies to disclose "material" cybersecurity incidents on Form 8-K within four business days of determining their materiality. The SEC Rule also has been the subject of substantial criticism, including claims that it has caused companies to overreport non-material cybersecurity incidents in an abundance of caution. The SEC's Division of Corporate Finance eventually issued guidance directing companies to use a different part of Form 8-K if they chose to report incidents they had not yet determined to be material or wanted to voluntarily disclose an immaterial incident.

Criticisms of the SEC Rule at the March 11 hearing focused on the potential for companies to disclose sensitive information about cybersecurity vulnerabilities and incidents to comply with the rule. Rep. Mark Green (R-TN) and an industry group witness criticized the SEC Rule on these grounds, stating that adversaries are carefully monitoring disclosed information and taking advantage of the transparency required by the rule.

Potential Implications and Next Steps

The rapidly proliferating set of federal cybersecurity reporting rules—and the need to harmonize those rules to reduce burdens on companies responding to serious incidents—is a known issue. CIRCIA established the Cybersecurity Incident Reporting Council (CIRC) "to coordinate, deconflict, and harmonize Federal incident reporting requirements," including CISA's regulations. CIRC issued a detailed report in 2023, which noted 52 cybersecurity reporting requirements either in effect or proposed at that time. The report made various recommendations to harmonize those requirements, including model definitions for reportable incidents and reporting timelines. Yet, numerous disparate reporting requirements have been proposed or finalized since publication of the CIRC report, including the Federal Trade Commission's breach reporting rule for financial institutions covered by the Safeguards Rule, the Federal Communications Commission's expanded data breach order, and proposed notification requirements for federal contractors.

Whether any changes to the CISA regulations, the SEC rule, or other cybersecurity reporting requirements will materialize remains to be seen. Even so, bipartisan criticism of those requirements during the March 11 hearing suggests that significant changes may be forthcoming. During the hearing, subcommittee chair Garbarino announced that "with the beginning of the new administration, we have an opportunity to reset the cyber regulatory regime once and for all."

The CISA proposal is subject to President Trump's January 20, 2025, memorandum directing all executive departments and agencies to implement a regulatory freeze. Under that memorandum, pending rules like the CISA regulations must be reviewed and approved by a political appointee before being finalized. The mounting criticisms of the CISA regulations may precipitate significant amendments, likely to limit the scope of covered entities and incidents.

When the SEC voted to finalize the SEC Rule in 2023, both Republican commissioners, Hester Peirce and Mark Uyeda, dissented (see Peirce's dissent here and Uydea's dissent here). Both Peirce and Uyeda remain as commissioners, and Uyeda currently serves as acting chair. If Paul Atkins, President Trump's nominee for SEC chair, is confirmed by the Senate, the SEC may have the votes needed to significantly amend—or even rescind—the rule. 

Looking Ahead

DWT's privacy and security team actively advises clients on compliance with cybersecurity reporting requirements across all industries and sectors. We will continue tracking these critical legislative and regulatory developments closely and provide timely guidance on navigating the evolving compliance landscape.