ABA urges Congress to overturn SEC cyber incident reporting rule

In a letter today to Senate leaders, the American Bankers Association expressed support for a Senate joint resolution expressing congressional disapproval of the Security and Exchange Commission’s cyber incident disclosure rule, saying the requirement puts banks at risk of being targeted by criminals and other malicious actors.

The rule, which was adopted in July, requires businesses to publicly disclose a data breach or other cyber incident within four business days of determining whether the incident is material, unless the Justice Department determines that the disclosure would threaten national security or public safety. S.J. Res. 50, sponsored by Sen. Thom Tillis (R-N.C.), would overturn the rule if adopted by both houses of Congress and signed by the president.

ABA noted that banks are committed to protecting their customers from cyberattacks, and that they already must report cyber incidents to their primary regulators and notify customers. “Fighting cyberattacks is critically important, but the SEC’s cyber disclosure rule’s four-day reporting requirement requires an unnecessary and dangerous public identification of the business that’s been hacked, inviting other bad actors to target that business,” the association said. “This requirement would make critically sensitive information public before the problem is actually fixed, potentially interfering with efforts by law enforcement to stop attackers. Ultimately, this flawed public reporting requirement allows attackers to exploit a company’s cyber vulnerability, endangering investors and thwarting efforts to mitigate contagion risks.”