- US banks are pushing back against a cyberattack disclosure rule
- The banks say its adds complexity and strain to their systems
- Banks especially don’t want to disclose ongoing cyberattacks
A group of US banks is pushing back against a recent US Securities and Exchange Commission (SEC) ruling which requires public companies, including banks, to disclose cyber attacks.
The banks argue that the ruling adds unnecessary strain and complexity to their operation, and potentially requires the disclosure of cyber incidents before internal investigations have been completed, and the scope of the damage assessed.
The group’s members include the American Bankers Association (ABA), the Bank Policy Institute (BPI), the Securities Industry and Financial Markets Association (SIFMA), the Independent Community Bankers of America (ICBA) and the Institute of International Bankers (IIB).
SEC and banks butt heads
The rule, known formally as the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule”, was introduced in July 2023.
Not only does it outline disclosure procedures for cyber incidents, such as impact, timings and scope of the incident, but also requires public companies to provide a report on their cybersecurity risk management, strategy and governance practices each year.
A public statement issued by the Bank Policy Institute said, “This rule requires public companies to disclose material cyber incidents within four business days, adding to an already complex list of reporting and disclosure obligations that financial institutions and other critical infrastructure sector companies must follow. The Department of Homeland Security issued a report in 2023 identifying 45 different federal cyber incident reporting requirements, administered by 22 federal agencies.”
The banks also argue that the rule could apply additional pressure on banks and their customers during ransomware attacks, as the attackers could point out unfulfilled disclosures as a means of extortion.
The banking group lobbied against the rule in 2023, and requested a 12 month extension to data protection and cybersecurity amendments requirements.
Similarly in Australia, a new rule has come in to force that requires all organizations with an annual turnover of AUS $3m ($1.93M) to disclose ransomware payments within 72 hours, including amount, currency, and timings of communications with the attackers.
Leave a comment