Did The SEC Violate The APA In Publishing Its Statement And Guidance on Cybersecurity Disclosures?

The federal Administrative Procedure Act is both straightforward and general.  It defines a "rule" as "the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency and includes the approval or prescription for the future of rates, wages, corporate or financial structures or reorganizations thereof, prices, facilities, appliances, services or allowances therefor or of valuations, costs, or accounting, or practices bearing on any of the foregoing."  5 U.S.C. § 551(4).  When an agency engages in "rule making" (i.e., formulating, amending or repealing a "rule"), the APA generally requires that the agency provide the public with notice and an opportunity to comment.  5 U.S.C. § 553.

Rule making under the APA, however, can be both difficult and time consuming.  Thus, many agencies try to avoid the process by issuing informal statements or guidance as the SEC did earlier this week when it issued its Statement and Guidance on Public Company Cybersecurity Disclosures.  The APA does explicitly except " interpretative rules, general statements of policy, or rules of agency organization, procedure, or practice".  5 U.S.C. § 553. Thus, the question becomes whether the SEC's statement falls within the statutory exception.  Undoubtedly, the SEC believes that it does.  However, that belief comes with a price that practitioners would do well to remember: "Interpretive rules 'do not have the force and effect of law and are not accorded that weight in the adjudicatory process.'"  Perez v. Mortg. Bankers Ass'n, 135 S. Ct. 1199, 1204 (2015) quoting Shalala v. Guernsey Memorial Hospital, 514 U. S. 87, 99 (1995).

Even if not subject to the APA's notice and comment requirements, the SEC's guidance would appear to be a "rule" as defined in President Trump's 1-for-2 Executive Order.  That executive order defines a "rule" to include, with certain exceptions "an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or to describe the procedure or practice requirements of an agency".  

The SEC's statement may also be subject to the Congressional Review Act of 1996, which requires all federal agencies, including independent regulatory agencies, to submit a report on each new rule to both Houses of Congress and to the Comptroller General before it can take effect.  The U.S. Government Accountability Office has held that a general statement of policy is a rule under the CRA.