As the second Trump administration takes shape, federal cybersecurity regulations are under the microscope. With growing pressure from GOP lawmakers, three major cyber rules are poised for review—each with far-reaching implications for critical infrastructure, healthcare, and the financial sector.
CISA’s Incident Reporting Rule Faces GOP Pushback
The Cybersecurity and Infrastructure Security Agency (CISA) is preparing to finalize its rule under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). The proposed rule, released in April 2024, outlines how and when organizations across all 16 critical infrastructure sectors must report cyber incidents.
By law, CISA must finalize the regulation within 18 months of publishing the draft. However, GOP leaders argue that the rule, as written, could create excessive overlap with existing regulations and widen the scope of reporting far beyond what Congress initially intended. They warn that it risks burdening organizations with unnecessary compliance costs.
HIPAA Cybersecurity Update Could Be on the Chopping Block
The Department of Health and Human Services (HHS) rolled out long-awaited cybersecurity enhancements to HIPAA this January, aiming to set a stronger baseline for healthcare data protection. Ransomware attacks have increasingly targeted hospitals and healthcare providers, making cybersecurity in the sector more urgent than ever.
But now, under new Republican leadership, this rule could face delays or revisions. Lawmakers are raising concerns about the projected costs and questioning whether the rule duplicates existing protections rather than reinforcing them.
SEC’s Disclosure Rule Raises Industry Alarm Bells
While not explicitly mentioned in recent GOP correspondence, the Securities and Exchange Commission (SEC)’s 2023 cybersecurity rule is also under scrutiny. The rule mandates that public companies disclose significant cyber incidents to investors and detail their risk management practices in annual filings.
House Republicans have criticized the regulation for being vague and overly demanding. Rep. Mark Green (R-Tenn.), chair of the House Homeland Security Committee, argued that the rule’s ambiguous language and tight deadlines could shift companies’ focus from actual security to compliance paperwork.
“Conflicting standards like the SEC rule force companies to spend more time on disclosure than defense,” Green said during a hearing. “That makes us more vulnerable, not less.”
Call for Harmonization, Not Overload
On April 7, Republican committee chairs sent a letter to Office of Management and Budget (OMB) Director Russell Vought, urging the administration to take immediate action. They called for a full review of the existing federal cybersecurity regulatory landscape, focusing on eliminating overlap and finding opportunities for streamlined compliance.
They emphasized the need for reciprocity between agencies and warned that the current patchwork of cyber regulations weakens national security by overwhelming organizations with conflicting demands.
“Cutting the regulatory clutter is the most cost-effective way to make our critical infrastructure safer,” the letter reads. Lawmakers also demanded an OMB briefing by the end of the month to track progress on these efforts.
What Comes Next?
The Senate recently confirmed Paul Atkins—Trump’s pick to lead the SEC—as chairman. While Atkins hasn’t publicly commented on the cybersecurity rule, critics expect him to downplay enforcement.
John Reed Stark, a former SEC official and outspoken critic of the 2023 rule, predicts Atkins will reallocate resources away from well-meaning firms that suffer cyber incidents. Instead, enforcement will likely focus on cases involving fraud or material nondisclosure.
With Trump allies now poised to shape cybersecurity policy, the future of federal regulations remains uncertain. One thing is clear: the push for regulatory harmonization is gaining steam, and industry leaders should brace for a potential shakeup.
