Banking groups ask SEC to drop cybersecurity incident disclosure rule

In a coordinated move, five major U.S. banking and financial industry groups, led by the American Bankers Association (ABA), have petitioned the Securities and Exchange Commission (SEC) to rescind its cybersecurity incident disclosure rule. This rule, adopted in July 2023, mandates that public companies disclose material cybersecurity incidents, such as data breaches or hacks, within four business days of determining their materiality.

The banking groups argue that the rule is fundamentally flawed and has proven problematic in practice. They contend that the requirement for rapid public disclosure conflicts with existing confidential reporting protocols designed to protect critical infrastructure and warn potential victims. According to the groups, this conflict undermines broader regulatory efforts to enhance national cybersecurity.

They highlight several concerns: the rule’s narrow and complex disclosure delay mechanism interferes with effective incident response and law enforcement efforts, creates market confusion between mandatory and voluntary disclosures, and chills candid internal communications due to litigation fears. Moreover, the groups warn that the rule has been weaponized by ransomware criminals, who have reportedly exploited the disclosure requirements to extort victims by reporting their own attacks to the SEC.

Specifically, the groups seek the removal of “Item 1.05” from the SEC’s Form 8-K reporting requirements, which currently compels rapid disclosure of material cyber incidents. They argue that without Item 1.05, investor interests would still be protected through the existing framework for reporting material information, including cybersecurity issues, but with greater flexibility and less risk to incident management.

The petition underscores that premature disclosures can exacerbate insurance and liability challenges for companies and hinder routine information sharing critical to cybersecurity defense. The groups include not only the ABA but also the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers.

This collective appeal reflects industry concerns that the SEC’s rule, while aiming to protect investors, may inadvertently increase risks for companies and national security by forcing disclosures that could be exploited by malicious actors and complicate coordinated responses to cyber threats.

It's me, @justmythoughts, an ordinary Hive user looking to make the most of the platform. I will appreciate your support. Follow me for more. Thanks, Gracias :)