A coalition of financial trade associations has called on the Securities and Exchange Commission (SEC) to rescind its cyber incident disclosure rule. The group, which includes the Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers, and Securities Industry and Financial Markets Association, argues that the rule endangers companies that fall victim to cyberattacks and undermines investor protection.
“These requirements impose additional risks, cost and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” the associations stated in their petition.
The rule mandates public companies disclose material cyber incidents within four business days. Critics argue this could expose victims to further harm by requiring premature disclosure of incidents like data breaches or ongoing cyberattacks. They claim it gives ransomware criminals a tool for extortion, as evidenced by ransomware group AlphV's report of its own victim MeridianLink to the SEC as a ransom tactic.
The coalition also contends that the rule strains national security and law enforcement resources due to complex exemption pathways. It creates market confusion with unclear compliance expectations and chills internal communication within companies fearing SEC investigations into disclosure decisions.
The "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule" was adopted by the SEC on July 26, 2023. This adds another layer to existing reporting obligations faced by financial institutions and critical infrastructure sectors. A Department of Homeland Security report from 2023 identified 45 federal cyber incident reporting requirements across 22 agencies.
For further details or a copy of the letter submitted to the SEC, contact Austin Anton at Bank Policy Institute (austin.anton@bpi.com), Sarah Grano at American Bankers Association (sgrano@aba.com), Garrett Hawkins at Institute of International Bankers (ghawkins@iib.org), Nicole Swann at Independent Community Bankers of America (Nicole.Swann@icba.org), or Katrina Cavalli at Securities Industry and Financial Markets Association (kcavalli@sifma.org).
The involved organizations represent significant portions of the banking industry both domestically and internationally. They advocate for policies affecting cybersecurity among other issues impacting financial markets.