US Banks Advocate for Repeal of Cyber Disclosure Regulation

The US banking sector is actively seeking the revocation of a recent rule from the US Securities and Exchange Commission (SEC) regarding the reporting of cyber incidents. The coalition advocating for this repeal includes prominent organizations such as the American Bankers Association (ABA), the Bank Policy Institute (BPI), the Securities Industry and Financial Markets Association (SIFMA), the Independent Community Bankers of America (ICBA), and the Institute of International Bankers (IIB).

The rule in question, formally titled the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule,” was established by the SEC in July 2023. It mandates that public companies disclose any significant cybersecurity incidents within four business days of assessing their materiality. This disclosure must encompass a detailed account of the incident’s nature, scope, timing, and its potential impact on the organization.

This regulation modifies Form 8-K for US firms and Form 6-K for foreign entities operating in the United States. Furthermore, it requires firms to report annually on their cybersecurity risk management, strategies, and governance protocols.

Disclosure Complexity and Compliance Challenges

In a petition submitted on May 22, banking associations assert that the rule complicates incident reporting and places undue strain on their resources. The BPI articulated concerns, stating, “This rule adds new disclosure requirements to an already complex array of reporting obligations that financial institutions and other critical infrastructure organizations must adhere to.”

The Department of Homeland Security has indicated that there are 45 separate federal cyber incident reporting requirements spread across 22 federal agencies, further complicating compliance for organizations.

Moreover, the coalition pointed out several instances where companies faced pressure to disclose incidents prematurely. The petition highlights situations where registrants were compelled to reveal incidents while investigations were not yet complete.

The new rule has drawn criticism for introducing further compliance uncertainties for registrants and their stakeholders. Despite the SEC’s efforts to clarify the regulation through various interpretations and statements, many stakeholders continue to find the requirements ambiguous.

Lastly, the banking associations contend that the rule enhances risks, citing instances where ransomware groups exploit inadequacies in the SEC’s disclosure stipulations to intensify pressure on victims during extortion scenarios.

Following unsuccessful lobbying efforts to prevent the rule’s implementation and a request for a 12-month compliance extension, the associations are now advocating for the SEC to rescind the rule—or, at the very least, omit Item 1.05 from Form 8-K and its corresponding amendment in Form 6-K.