Petition for Rulemaking on the Cybersecurity Risk Management Strategy Governance and Incident Disclosure Rule Joint Trades SIFMA Petition for Rulemaking on the Cybersecurity Risk Management Strategy Governance and Incident Disclosure Rule Joint Trades SIFMA
p
pp
Back to
Submissions
ppSIFMA The American Bankers Association ABA Bank Policy Institute BPI Independent Community Bankers of America ICBA and Institute of International Bankers IIB respectfully petition the Securities and Exchange Commission SEC pursuant to Rule 192 of the SECs Rules of Practice for a rulemaking to amend the SECs Cybersecurity Risk Management Strategy Governance and Incident Disclosurepp22ppMaypp2025ppVia Electronic MailppMs Vanessa Countryman
Secretary
US Securities and Exchange Commission
100 F Street NE
Washington DC 20549ppRe Petition for Rulemaking on the Cybersecurity Risk Management Strategy Governance and Incident Disclosure RuleppDear Ms CountrymanppThe American Bankers Association1 Bank Policy Institute2 Securities Industry and Financial Markets Association3 Independent Community Bankers of America4 and Institute of International Bankers5 respectfully petition the Securities and Exchange Commission pursuant to Rule 192 of the SECs Rules of Practice6 for a rulemaking to amend the SECs Cybersecurity Risk Management Strategy Governance and Incident Disclosure rule When the rule was first proposed and enacted concerns that the SEC had exceeded its authority and expertise and that the rule was deeply flawed were raised by the dissenting commissioners by Congress and by businesses across multiple sectors including the financial services industry7 While we continue to have significant concerns regarding the rule as a wholeincluding the requirements of Regulation SK Item 106 relating to cybersecurity risk management strategy and governance disclosureswe believe the most urgent and problematic aspects are the cybersecurity incident disclosure mandates under Form 8K Item 105 for domestic issuers and under Form 6K for foreign private issuers both of which require rapidoften premature disclosure of material cybersecurity incidents These requirements impose additional risks cost and complexity on SEC registrants undermining the SECs mission to facilitate capital formation while also failing to generate the type of decisionuseful information which would advance the SECs mission to protect investors Accordingly this petition requests the rescission of both Form 8K Item 105 and the corresponding Form 6K requirements8ppIn the year and a half since Item 105 became effective the fears expressed by industry have manifestedppThe SEC previously expressed that it was not persuaded that the risks relating to Item 105 identified by industry would come to pass The staff of the SEC has since found it necessary to create a patchwork of guidance and comment letters in an attempt to address these risks We continue to believe that Item 105 was flawed in its conception and request that the SEC review the record and reconsiderppWe respectfully request that the SEC rescind Item 105 because 1 publicly disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims thereby compromising coordinated regulatory efforts to enhance national cybersecurity 2 the complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations 3 it has created market confusion and uncertainty as companies struggle to distinguish between mandatory and voluntary disclosures 4 the incident disclosure requirement has been weaponized as an extortion method by ransomware criminals to further malicious objectives and may subject disclosing companies to additional cybersecurity threats 5 insurance and liability implications of premature disclosures can exacerbate financial and operational harm to registrants and 6 the public disclosure requirement risks chilling candid internal communications and routine information sharingppCritically without Item 105 investor interests will still be protected and we believe they would be better served through the preexisting disclosure framework for reporting material informationwhich may include material cybersecurity incidentswhile better mitigating the concerns raised aboveppĀ pp
pp
SIFMA provided comments to the California Privacy Protection Agency CPPA in response to the modifications to the Proposed Regulations on
pp
pp
SIFMA provided comments to the US Securities and Exchange Commission SEC on the proposal filed by the Consolidated Audit Trail
pp
pp
SIFMA comments to the Financial Accounting Standards Board FASB on the Invitation to Comment Recognition of Intangibles the ITC SIFMA
ppSIFMA is the voice of the US securities industry We advocate for effective and resilient capital marketspp 2025 Securities Industry and Financial Markets Associationpp
Back to top
p
pp
Back to
Submissions
ppSIFMA The American Bankers Association ABA Bank Policy Institute BPI Independent Community Bankers of America ICBA and Institute of International Bankers IIB respectfully petition the Securities and Exchange Commission SEC pursuant to Rule 192 of the SECs Rules of Practice for a rulemaking to amend the SECs Cybersecurity Risk Management Strategy Governance and Incident Disclosurepp22ppMaypp2025ppVia Electronic MailppMs Vanessa Countryman
Secretary
US Securities and Exchange Commission
100 F Street NE
Washington DC 20549ppRe Petition for Rulemaking on the Cybersecurity Risk Management Strategy Governance and Incident Disclosure RuleppDear Ms CountrymanppThe American Bankers Association1 Bank Policy Institute2 Securities Industry and Financial Markets Association3 Independent Community Bankers of America4 and Institute of International Bankers5 respectfully petition the Securities and Exchange Commission pursuant to Rule 192 of the SECs Rules of Practice6 for a rulemaking to amend the SECs Cybersecurity Risk Management Strategy Governance and Incident Disclosure rule When the rule was first proposed and enacted concerns that the SEC had exceeded its authority and expertise and that the rule was deeply flawed were raised by the dissenting commissioners by Congress and by businesses across multiple sectors including the financial services industry7 While we continue to have significant concerns regarding the rule as a wholeincluding the requirements of Regulation SK Item 106 relating to cybersecurity risk management strategy and governance disclosureswe believe the most urgent and problematic aspects are the cybersecurity incident disclosure mandates under Form 8K Item 105 for domestic issuers and under Form 6K for foreign private issuers both of which require rapidoften premature disclosure of material cybersecurity incidents These requirements impose additional risks cost and complexity on SEC registrants undermining the SECs mission to facilitate capital formation while also failing to generate the type of decisionuseful information which would advance the SECs mission to protect investors Accordingly this petition requests the rescission of both Form 8K Item 105 and the corresponding Form 6K requirements8ppIn the year and a half since Item 105 became effective the fears expressed by industry have manifestedppThe SEC previously expressed that it was not persuaded that the risks relating to Item 105 identified by industry would come to pass The staff of the SEC has since found it necessary to create a patchwork of guidance and comment letters in an attempt to address these risks We continue to believe that Item 105 was flawed in its conception and request that the SEC review the record and reconsiderppWe respectfully request that the SEC rescind Item 105 because 1 publicly disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims thereby compromising coordinated regulatory efforts to enhance national cybersecurity 2 the complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations 3 it has created market confusion and uncertainty as companies struggle to distinguish between mandatory and voluntary disclosures 4 the incident disclosure requirement has been weaponized as an extortion method by ransomware criminals to further malicious objectives and may subject disclosing companies to additional cybersecurity threats 5 insurance and liability implications of premature disclosures can exacerbate financial and operational harm to registrants and 6 the public disclosure requirement risks chilling candid internal communications and routine information sharingppCritically without Item 105 investor interests will still be protected and we believe they would be better served through the preexisting disclosure framework for reporting material informationwhich may include material cybersecurity incidentswhile better mitigating the concerns raised aboveppĀ pp
pp
SIFMA provided comments to the California Privacy Protection Agency CPPA in response to the modifications to the Proposed Regulations on
pp
pp
SIFMA provided comments to the US Securities and Exchange Commission SEC on the proposal filed by the Consolidated Audit Trail
pp
pp
SIFMA comments to the Financial Accounting Standards Board FASB on the Invitation to Comment Recognition of Intangibles the ITC SIFMA
ppSIFMA is the voice of the US securities industry We advocate for effective and resilient capital marketspp 2025 Securities Industry and Financial Markets Associationpp
Back to top
p
