The American Bankers Association today joined four associations in providing recommendations for how the Securities and Exchange Commission could reform its regulations for cybersecurity disclosures by businesses.
SEC Chairman Paul Atkins in January issued a request for comment on reforming Regulation S-K’s cybersecurity disclosures. In a joint letter, ABA and the other associations had several suggestions:
- Rescind Item 106 of the regulation in its entirety, given that cybersecurity risks do not justify a departure from the SEC’s principles-based disclosure regime applicable to other risks.
- If Item 106 is not rescinded, amend it and related provisions to align the definition of “cybersecurity incident” to the impact-based standards used in the prudential banking agencies’ Computer-Security Incident Notification Rule, and to streamline the disclosure process.
- Rescind Form 8-K, Item 1.05 and the corresponding Form 6-K provision, and revert to the longstanding principles-based approach for incident disclosure under which material cybersecurity incidents can be appropriately disclosed.
- If Item 1.05, Item 106 and the corresponding reporting provisions are not rescinded, provide explicit safe harbor protection under Section 27A of the Securities Act and Section 21E of the Exchange Act for cybersecurity disclosures.
