Washington, D.C. — The Bank Policy Institute reiterated comments late yesterday to the SEC concerning its efforts to give investors more transparency into a company’s cybersecurity risk and incident response practices. The SEC has proposed five separate rules since 2022 that would require companies to inform investors of their cybersecurity risk management practices and enhance consumer protections. BPI’s response calls on the SEC to consider these proposals in line with existing rules and regulations and consider amendments to enhance overall security.
“BPI supports investor transparency and is committed to collaborating with the SEC to reach a solution that preserves sound cybersecurity and risk-management practices,” stated Heather Hogsett, senior vice president, technology and risk strategy for BITS — the technology policy division of BPI. “It is incumbent upon the SEC to acknowledge that premature incident disclosure may harm investors, and the Commission should collaborate with other government partners to enhance security and resiliency.”
BPI’s letter specifically calls on the SEC to:
- Harmonize proposed regulations. The SEC should consider its proposed cyber disclosure rules collectively and with financial institutions’ other federal and state obligations in mind. Failure to harmonize these regulations could result in duplicative or conflicting reporting requirements that interfere with incident response operations and would encumber resources without added benefits.
- Prevent follow-on vulnerability exploitation caused by disclosing too soon. The SEC must carefully consider the potential dangers of requiring companies to disclose material cyber incidents before they are resolved. This disclosure would exacerbate cyber incidents by publicizing a company’s vulnerabilities to sophisticated cyber adversaries — including nation-state actors. Sharing active vulnerabilities also endangers the broader economy by allowing illicit actors to target other similarly situated companies across industries, as witnessed in the December 2021 Log4j event. Instead, the SEC should consider, in coordination with CISA and the FBI, a mechanism to allow companies to delay disclosures and prevent widespread exploitation of an ongoing vulnerability.
Financial institutions are one of the nation’s most regulated industries and have complied with cyber risk management and incident reporting and notification requirements for 20 years. These regulations include the Gramm-Leach-Bliley Act, the prudential financial regulators’ Computer-Security Incident Notification Rule, the New York Department of Financial Services Cybersecurity Regulation and state data breach notification laws. Financial institutions will also soon be required to comply with the Cyber Incident Reporting for Critical Infrastructure Act. The changes proposed in yesterday’s letter and BPI’s April 2022 letter will further enhance information sharing, improve public-private collaboration and lead to a stronger national cyber defense.
To access a copy of the letter, please click here.
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.