A group of financial services industry associations expressed their support of a Securities and Exchange Commission (SEC) proposal implementing requirements for financial institutions to disclose material cyber incidents.
The Independent Community Bankers of America (IBCA), American Bankers Association (ABA), Bank Policy Institute, and Mid-Size Bank Coalition of America recently offered input regarding the proposed offering, addressing cybersecurity risk management and strategy, and governance.
“We support the SEC’s efforts and recommend changes to the proposal that allow firms to prioritize remediation efforts while at the same time helping give investors more transparency around cybersecurity,” the associations noted. “The proposal should be amended to ensure that information provided to the public cannot be weaponized by malicious actors to further harm an institution or threaten the security of U.S. critical infrastructure.”
The associations are requesting the SEC consider a series of changes to the disclosure timeline to encourage activities without impeding active law enforcement investigations or introducing new threats hindering a bank’s ability to respond.
The requests include collaborating with key government agencies to consider delayed disclosure when warranted for law enforcement, national security, or financial stability reasons; authorizing additional time to report when an incident is ongoing; and aligning disclosures with existing business practices and narrowing key definitions to obtain meaningful data.