WASHINGTON—The American Bankers Association, along with the Bank Policy Institute and three other industry groups, urged the Securities and Exchange Commission this week to withdraw its cyber incident disclosure rule, arguing that it increases the risks for companies targeted by cyberattacks, the ABA Banking Journal reported.
The rule, adopted last year, mandates that companies publicly disclose a data breach or other cyber incident within four business days of determining it is material—unless the Justice Department deems that disclosure would pose a threat to national security or public safety. In their letter, the associations expressed multiple concerns, including that the rule may force public companies to disclose cyber incidents prematurely, even when the exploited vulnerability remains unpatched and the threat is ongoing, ABA Banking Journal said.
In addition, the associations said the rule gives ransomware criminals another tool for extortion, with at least one ransomware group reporting its own victim to the SEC. They also said it strains national security and law enforcement resources, creates market confusion and chills international communications as employees fear what they say may create litigation risk, ABA Banking Journal said.
“These requirements impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” the associations said.