A joint resolution was introduced by Representatives Andrew Garbarino (R-NY) in the House and Thom Tillis (R-NC) in the Senate, on November 14, 2023 that, if passed, would overturn the Securities and Exchange Commission’s (SEC) recent  "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure" final rules. ISC2 has previously expressed concerns over the new rules particularly, that they leave considerable ambiguity, especially regarding the definition and measure of risk, along with not making a definitive ruling on cybersecurity skills and experience requirements for public company boards. To be successful both the House and Senate must vote to approve the resolution and the president must sign it. So far, during the current Executive administration, 7 CRA resolutions have been introduced, all have been vetoed. Members should periodically review incident reporting processes against the SEC ruling to understand in advance what materiality means for their organization, and factor incident risk reporting into their processes.

Several helpful ISC2 resources can be found on ISC2 Insights: https://www.isc2.org/Insights/2023/11/Resolution-to-Overturn-SEC-Cyber-Disclosure-Rule-Introduced