Banking groups ask SEC to drop cybersecurity incident disclosure rule
American banking and financial industry advocacy groups have requested the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident public disclosure requirements. Five banking groups, led by the American Bankers Association, argue that these disclosure rules conflict with confidential reporting requirements meant to protect critical infrastructure. They claim the SEC's Cybersecurity Risk Management rule, effective since July 2023, has proven problematic, creating confusion between mandatory and voluntary disclosures and interfering with incident response. The groups assert that public disclosure has been exploited by ransomware criminals and can worsen insurance and liability issues. They specifically seek the rescission of “Item 1.05” from SEC rules for Form 8-K reporting. The requirement also affects publicly listed crypto companies like Coinbase, which faced lawsuits after disclosing a data breach. Rescinding the requirement could allow firms more time to report cybersecurity incidents.
