The American Bankers Association and financial industry associations have officially submitted a request to the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident disclosure requirements.

In a joint letter dated May 22, five major banking groups led by the American Bankers Association urged regulators to withdraw the regulation, arguing that disclosing cybersecurity incidents "directly contradicts the confidential reporting mechanisms designed to protect critical infrastructure and warn potential victims."

This coalition includes the Securities Industry and Financial Markets Association, the Bank Policy Institute, the American Independent Community Bankers Association, and the International Bankers Association, all of which pointed out that the rule actually undermines the overall efforts of regulators to enhance national cybersecurity.

The SEC's Cybersecurity Risk Management Rule, issued in July 2023, requires companies to promptly disclose cybersecurity incidents such as data breaches or hacking. However, these banking groups contend that the rule is fundamentally flawed in its design and has revealed numerous issues during its implementation.

Banking institutions emphasized that the "complex and strictly limited disclosure delay mechanism" not only interferes with incident response and law enforcement efforts but also creates "market confusion" between mandatory and voluntary disclosures.

These groups further noted that public disclosure has been "exploited by ransomware criminals as a tool for extortion, furthering their malicious objectives," while premature disclosure exacerbates the insurance and legal liability issues faced by companies, and "may stifle open communication and routine information sharing within organizations."

Some statements and concerns from the banking groups regarding the regulation. Source: SIFMA

These groups specifically requested the removal of "Item 1.05" from the SEC's Form 8-K reporting rules and the parallel reporting requirements applicable to Form 6-K.

Form 8-K is a document used by U.S. publicly traded companies to disclose specific events to investors, including cybersecurity incidents that may be significant to shareholders or the SEC.

"It is crucial that even without Item 1.05, investor interests will still be protected, and we believe that the existing framework for significant information disclosure (which may include significant cybersecurity incidents) can better serve investor interests," the groups stated in their announcement.

The complete application includes examples of confusion encountered by participating institutions, specific ransomware attack incidents, and documented instances of regulatory conflicts.

This request also affects publicly traded cryptocurrency companies, such as Coinbase, which disclosed earlier this month that hackers had bribed its customer service personnel to leak user data.

This disclosure has led to at least seven lawsuits against the company.

Coinbase stated that after a significant phishing attack in which employees leaked user data, the exchange rejected a $20 million ransom demand, claiming it could result in losses of up to $400 million.

If the SEC rescinds the requirement, it could provide companies like Coinbase with more time to disclose cybersecurity incidents to the public.

Related: Coinbase Faces Another Data Breach Lawsuit Amid Stock Price Decline

Original article: “Banking Groups Tell SEC to Drop Cybersecurity Incident Disclosure Rule”

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。