The American Bankers Association and a coalition of financial services groups yesterday called for extensive changes to a proposal by the Securities and Exchange Commission that would create new requirements for public companies regarding the disclosure of cybersecurity incidents. Among other things, the SEC would amend Form 8-K to require that registrants “disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident.”
Among other things, the groups called for changes to the timing of disclosure to “four business days after the registrant has reasonably determined that the cybersecurity incident is no longer ongoing, and that public disclosure of the incident will not seriously jeopardize the security of the registrant,” emphasizing that the current proposal’s requirements lack “sufficient regard for the security risks and harms that such disclosures may pose in certain circumstances.”
They also urged the SEC to not require registrants to disclose information about remediation activities, including changes to cybersecurity policies and procedures; called for clarity around several definitions and other aspects of the proposal; and advocated for less prescriptive requirements. The groups also opposed a proposed requirement for registrants to disclose the cybersecurity expertise of members of the board, noting that it “will have the effect of suggesting that boards without directors with such specific expertise are somehow deficient.”