Banking Bodies Lobby Against Cyberattack Disclosure Rule

A group of top US banking associations have joined forces to call on the Securities and Exchange Commission (SEC) to rescind its cyber incident disclosure rule, claiming the new rule puts companies that experience a cyberattack at even greater risk.

The American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and Institute of International Bankers penned a letter to SEC Secretary Vanessa Countryman, petitioning that the rule be axed due to a long list of concerns.

The rule, which was adopted last year, requires businesses to disclose publicly data breaches or other cyber incidents within four business days of determining whether the incident is material, unless the Justice Department determines that the disclosure would threaten national security or public safety.

“When the rule was first proposed and enacted, concerns that the SEC had exceeded its authority and expertise and that the rule was deeply flawed were raised by the dissenting commissioners, by Congress, and by businesses across multiple sectors, including the financial services industry,” the associations wrote.

They listed several concerns, but said the most significant was that the company and its customers may be put at further risk due to the potential for “rapid — often premature — disclosure”.

“These requirements impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,”  the letter said.

The associations even claimed that the rule had been weaponized by hackers as an added layer to extortion “in multiple incidents”.

Other concerns included that the rule is unhelpful to investors, creates market confusion, and strains law enforcement resources.