A coalition of American banking and financial industry advocacy groups has urged the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident public disclosure requirements. The request was made in a letter dated May 22 and led by the American Bankers Association, with support from groups such as the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers.

The groups argue that the current SEC Cybersecurity Risk Management rule, which mandates the rapid disclosure of cybersecurity incidents like data breaches or hacks, conflicts with confidential reporting requirements aimed at safeguarding critical infrastructure and alerting potential victims. They claim that the rule has created challenges since its implementation in July 2023, citing issues such as interference with incident response and law enforcement, market confusion between mandatory and voluntary disclosures, and the exploitation of public disclosure as an extortion tactic by ransomware criminals.

Moreover, the banking groups express concerns that premature disclosures worsen insurance and liability problems for companies, potentially chilling internal communications and routine information sharing. They specifically target "Item 1.05" in the SEC's rules for Form 8-K reporting and parallel reporting requirements applicable to Form 6-K, which are used to notify investors of significant events, including cybersecurity incidents.

The coalition proposes that removing Item 1.05 would still protect investor interests through existing disclosure frameworks for reporting material information, including cybersecurity incidents. They argue that rescinding this requirement would enable companies like publicly listed crypto exchange Coinbase, which recently faced lawsuits over a data breach incident involving a phishing attack, to have more time to disclose cybersecurity breaches to the public.

The petition to repeal the cybersecurity incident public disclosure requirements also includes examples of confusion among stakeholders, instances of ransomware attacks, and documented regulatory conflicts. The pushback against the SEC's rule highlights the complexities and challenges faced by companies in navigating cybersecurity incidents while balancing the need for transparency with concerns about confidentiality, market impact, and legal implications.

If the SEC were to heed the coalition's request and revoke the cybersecurity incident public disclosure requirements, it could potentially reshape how companies, including those in the crypto industry, handle and report cybersecurity breaches, offering them more flexibility in managing such incidents and their aftermath.

Source: https://cointelegraph.com/news/banking-groups-tell-sec-drop-cybersecurity-incident-disclosure-rule?utm_source=rss_feed&utm_medium=rss&utm_campaign=rss_partner_inbound