Banking groups ask SEC to drop cybersecurity incident disclosure rule

p Major banking groups want the Securities and Exchange Commission to rescind a rule that requires public companies to report cybersecurity incidents to the public within four days ppAmerican banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements ppFive US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter arguing that disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victimsppThe group which also included the Securities Industry and Financial Markets Association the Bank Policy Institute Independent Community Bankers of America and the Institute of International Bankers claimed that the rule compromises regulatory efforts to enhance national cybersecurityppThe SECs Cybersecurity Risk Management rule published in July 2023 requires companies to rapidly disclose cybersecurity incidents such as data breaches or hacks However the banking groups argue this rule was flawed from the start and has proven problematic in practice since taking effectppThe banking bodies said that the complex and narrow disclosure delay mechanism interferes with incident response and law enforcement and creates market confusion between mandatory and voluntary disclosures ppPublic disclosure has also been weaponized as an extortion method by ransomware criminals to further malicious objectives and premature disclosures worsen insurance and liability issues for companies and risks chilling candid internal communications and routine information sharing the group claimed ppThe groups specifically want Item 105 to be rescinded from the SECs rules for Form 8K reporting and parallel reporting requirements applicable to Form 6K ppForm 8K is used to publicly notify investors in US public companies of specified events including cybersecurity incidents that may be important to shareholders or the SEC ppCritically without Item 105 investor interests will still be protected and we believe they would be better served through the preexisting disclosure framework for reporting material information which may include material cybersecurity incidents the groups statedppRelated Hackers using fake Ledger Live app to steal seed phrases and drain cryptoppThe full petition included examples of confusion from participants specific incidents of ransomware attacks and documented regulatory conflicts ppThe requirement also impacts publicly listed crypto companies such as Coinbase which disclosed earlier this month that hackers had bribed its support staff to leak its user datappThe disclosure saw the company hit with at least seven lawsuits over the disclosureppCoinbase said that it rejected a 20 million ransom demand after staff leaked user data in a major phishing attack which the exchange said could cost it up to 400 million in damagesppIf the SEC rescinds the requirement it may give firms such as Coinbase more time to disclose cybersecurity incidents to the public ppMagazine Bitcoin bears eye 69K CZ denies WLF fixer rumors Hodlers Digestpp Cointelegraph is committed to providing independent highquality journalism across the crypto blockchain AI fintech and iGaming industries To support the free use of our website and sustain our editorial operations some of the links published on our site may be affiliate links This means we may receive a commission if you click through and take actionsuch as signing up for a service or making a purchase These commissions come at no additional cost to you Our affiliate relationships help us maintain an openaccess platform but they do not influence our editorial decisions All news reviews and analysis are produced with journalistic independence and integrity Thank you for supporting responsible and accessible reporting p