Ladies and Gentlemen:
The Bank Policy Institute (“BPI”), the American Bankers Association (“ABA”), the Independent Community Bankers of America (“ICBA”) and the Mid-Size Bank Coalition of America (“MBCA”) (collectively, the “Associations”), appreciate the opportunity to comment on the notice of proposed rulemaking (the “Proposed Rules”)  issued by the U.S. Securities and Exchange Commission (the “Commission”) for registrants regarding disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance.
As the Commission is aware, the Proposed Rules and other new, federal notification requirements follow a series of cybersecurity attacks in the past two years that have harmed the U.S. public and private sectors. With respect to financial institutions, cybersecurity threats and incidents may endanger not only individual banks and their shareholders but also consumers, as well as the stability of U.S. financial markets.  For this reason, the Cybersecurity and Infrastructure Security Agency (“CISA”) has designated the financial services sector a “critical infrastructure” sector and “a vital component of our nation’s critical infrastructure.”  As designated by CISA, the sector includes “thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions,” including our members.
To read the full comment letter, click here, or click on the download button below.
 Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 87 Fed. Reg. 16590 (Mar. 23, 2022) (to be codified at 17 C.F.R. pt. 229, 232, 239, 240, and 249).
 BPI is a nonpartisan group representing the nation’s leading banks. BPI members include universal banks, regional banks, and the major foreign banks doing business in the United States. Collectively, BPI members hold $10.7 trillion in deposits in the United States; make 68% of all loans, including trillions of dollars in funding for small businesses and household mortgages, credit cards, and auto loans; employ nearly two million Americans; and serve as a principal engine for the nation’s financial innovation and economic growth. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.
ABA is the voice of the nation’s $23.3 trillion banking industry, which is composed of small, regional and large banks that together employ millions of people, safeguard $19.2 trillion in deposits and extend nearly $11 trillion in loans.
ICBA creates and promotes an environment where community banks flourish. ICBA is dedicated exclusively to representing the interests of the community banking industry and its membership through effective advocacy, best-in-class education, and high-quality products and services. With nearly 50,000 locations nationwide, community banks constitute roughly 99% of all banks, employ nearly 700,000 Americans and are the only physical banking presence in one in three U.S. counties. Holding nearly $5.9 trillion in assets, over $4.9 trillion in deposits, and more than $3.5 trillion in loans to consumers, small businesses and the agricultural community, community banks channel local deposits into the Main Streets and neighborhoods they serve, spurring job creation, fostering innovation, and fueling their customers’ dreams in communities throughout America. For more information, visit ICBA’s website at www.icba.org.
Across the country, mid-size banks are providing financial solutions to entrepreneurs, professionals, their businesses and their families. Mid-size banks fuel their growth and build stronger connections to the communities in which they operate. MBCA is proud to be their voice and their self-help network. MBCA’s member banks average less than $20 billion in size and serve customers and communities through more than 10,000 branches in all 50 states, the District of Columbia, and three U.S. territories.
 See, e.g., SEC, In the Matter of Certain Cybersecurity-Related Events (HO-14225) FAQs, available at https://www.sec.gov/enforce/certain-cybersecurity-related-events-faqs (describing a cyberattack on SolarWinds Corp.).
 See 87 Fed. Reg. at 16592 (“With an increase in the prevalence of cybersecurity incidents, there is an increased risk of the effect of cybersecurity incidents on the economy and registrants. Large scale cybersecurity attacks can have systemic effects on the economy as a whole, including serious effects on critical infrastructure and national security.”).