The American Bankers Association this week joined the Bank Policy Institute and three other associations in calling on the Securities and Exchange Commission to rescind its cyber incident disclosure rule, which they said puts companies that fall victim to cyberattacks at greater risk.
The rule, which was adopted last year, requires businesses to publicly disclose a data breach or other cyber incident within four business days of determining whether the incident is material, unless the Justice Department determines that the disclosure would threaten national security or public safety. In their letter, the associations raised several concerns, including that the rule requires public companies to prematurely disclose cyber incidents even if the vulnerability exploited is unremediated and ongoing.
In addition, the associations said the rule gives ransomware criminals another tool for extortion, with at least one ransomware group reporting its own victim to the SEC. They also said it strains national security and law enforcement resources, creates market confusion and chills international communications as employees fear what they say may create litigation risk.
“These requirements impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” the associations said.
