Supreme Court Ruling on Chevron Doctrine Could Destroy Future Cybersecurity Regulations

Friday’s decision by the U.S. Supreme Court overthrow the Chevron doctrine could have serious implications for cybersecurity regulation at a time when federal agencies have introduced significant requirements to strengthen incident reporting and meet baseline security standards.

The ruling will likely lead to new legal challenges to recent cybersecurity regulatory measures, including cyber incident reporting requirements imposed on the Securities and Exchange Commission in 2023. Cybersecurity Policy and Law Center.

The Supreme Court ruling could also affect rulemaking for the Cyber ​​Incident Reporting for Critical Infrastructure Act, as defined by the CCPL. Officials see the potential for the ruling to affect baseline requirements for the health care industry or future efforts by the Environmental Protection Agency to mandate cybersecurity regulations for drinking water and wastewater treatment plants.

The Chevron doctrine originates from a 1984 case, Chevron USA v. the National Resources Defense Council, which established the precedent that courts should defer to the expertise of federal agencies in interpreting ambiguities in a statute.

The Supreme Court ruling concerned Loper Bright Enterprises v. Raimondo and a second case, Relentless v. Department of Commerce.

This The U.S. Chamber of Commerce called the Supreme Court ruling “a significant course correction” that will help create a more stable and predictable business environment.

SEC Cyber ​​Rules in Hot Seat

SEC rules passed in 2023 require publicly traded companies to report cybersecurity incidents to the agency within four business days of determining their significance. Companies must submit annual updates that outline their cyber risk mitigation strategies.

In October, the SEC also filed a lawsuit against SolarWinds alleging that the company and its CISO defrauded investors by failing to disclose true cybersecurity risks, leading to supply chain breaches in 2020 by state-linked hackers.

This Chamber of Commerce and Business Round Table filed a memorandum in the SolarWinds case, arguing that the SEC had expanded its authority in the case far beyond Congress’s original intent.

Legal and cybersecurity experts are still assessing what impact the Chevron Doctrine ruling will have on future regulation. But Brandon Pugh, director of cybersecurity and emerging threats at the R Street Institute, said the ruling will force federal officials to rethink their approach to future cyber regulations to ensure they don’t create an overly burdensome environment for critical infrastructure and industry partners.

“I think it might cause agencies to think about their legal justification and perhaps ask Congress for more authority in cases of ambiguity,” Pugh said in an interview.

Representatives from the SEC and the Office of the National Cybersecurity Director declined to comment on the matter.