FAH Hospital Policy Blog

Perspectives on health policy affecting America's hospitals and the patients we serve.

FAH Policy Blog Team

FAH Urges Simplification of SEC Cybersecurity Proposed Rule

Today FAH submitted comments to the Securities and Exchange Commission (SEC) regarding its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule. FAH comments emphasized that our registrant members greatly value transparency to guide investors’ practical decision-making; but noted that a perceived enhancement of such transparency cannot come at the cost of safety and security to patients and vital health care infrastructure, as well as national security.  Further, the comments noted that the SEC’s 2018 interpretive guidance provides adequate cybersecurity reporting obligations, including the appropriate provision of information to investors, and urged that if the SEC engages in continued rulemaking, it should collaborate with cybersecurity industry participants and other federal agencies and significantly narrow its proposed reporting requirement. For example, FAH comments recommended that the SEC (i) provide a carve out for entities subject to compliance with HIPAA or other laws imposing similar reporting of cybersecurity incidents; (ii) tie the incident disclosure trigger to a reasonable number of days following remediation of a material event; (iii) align the ability to delay disclosure of incidents in circumstances allowed under existing state and federal law; and (iv) reduce an organization’s obligation to disclose particulars of its cybersecurity risk management strategy and governance so as not to aid bad actors in targeting and attacking registrants on the basis of such disclosures.  You can read the entire comment letter here.