Bank Groups Urge SEC to Repeal Cybersecurity Disclosure Rule

Five major U.S. banking advocacy groups, led by the American Bankers Association, have urged the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident disclosure rule in a May 22 letter.  

The groups, including the Securities Industry and Financial Markets Association, Bank Policy Institute, Independent Community Bankers of America, and Institute of International Bankers, argue that the rule undermines national cybersecurity efforts and conflicts with confidential reporting meant to safeguard critical infrastructure.

The SEC’s rule from July 2023 says companies must quickly tell the public about cybersecurity problems if they encounter data breaches or hacks. Banking groups say this rule is problematic because it makes it difficult to handle incidents and collaborate with law enforcement. The rule also confuses people about which disclosures are required and which are optional. Hence, it creates uncertainty in the market. 

The banking groups have also argued that ransomware criminals are utilizing public disclosures to extort companies, increasing liability and insurance challenges, and discouraging open internal communication.

The groups specifically target the removal of “Item 1.05” from the SEC’s Form 8-K reporting requirements, used to inform investors of significant events, and similar rules for Form 6-K. They assert that investor interests would be better protected under the prior framework, which required disclosing only material cybersecurity incidents.

The rule also affects publicly listed cryptocurrency companies like Coinbase, which recently faced seven lawsuits after disclosing a phishing attack where hackers bribed staff to leak user data. Coinbase, a cryptocurrency company, refused to pay hackers $20 million after they stole user data. This incident can cause the loss of up to $400 million to the company. 

If the SEC’s rule requiring quick public disclosure of such incidents is removed, companies like Coinbase could take more time to report these problems. Hence, this delay could reduce immediate public backlash and lawsuits. Banking groups say getting rid of the rule would help companies manage cybersecurity better while still protecting their investors.