Washington, D.C. — The American Bankers Association, Bank Policy Institute, Independent Community Bankers of America and Mid-Size Bank Coalition of America commented late yesterday on a U.S. Securities and Exchange Commission proposal that would implement new requirements for financial institutions to disclose material cyber incidents, as well as cybersecurity risk management, strategy and governance. The associations support the goals of the proposal and request that the SEC consider several changes to the disclosure timeline to encourage these activities without impeding active law enforcement investigations or introducing new threats that may hinder a bank’s ability to respond.
“We support the SEC’s efforts and recommend changes to the proposal that allow firms to prioritize remediation efforts while at the same time helping give investors more transparency around cybersecurity,” the associations stated. “The proposal should be amended to ensure that information provided to the public cannot be weaponized by malicious actors to further harm an institution or threaten the security of U.S. critical infrastructure.”
What are the associations requesting?
- Collaborate with key government agencies to consider delayed disclosure when warranted for law enforcement, national security or financial stability reasons. Certain information may be critical to an active investigation and may hinder law enforcement or national security efforts if disclosed prematurely. The SEC should permit the delay of disclosure at the request of the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Federal Reserve, the Attorney General, U.S. Attorneys or the Cybersecurity and Infrastructure Security Agency.
- Authorize more time to report when an incident is ongoing. Requiring the disclosure of an incident before it has been resolved could alert cybercriminals that a bank is aware of the attack, causing the perpetrator to evade detection or — by its public nature — identify that the institution is susceptible. This would make it harder for an institution to secure its systems and remediate the incident. The SEC should extend the current four-day reporting requirement to account for such scenarios.
- Align disclosures with existing business practices and narrow key definitions to obtain meaningful data. The current proposal requires a bank to disclose a material incident, and whether it has been remediated, within four business days. Remediation efforts could still be underway as front-line defenders work around the clock to address the incident, raising the potential for incomplete or inaccurate information being shared. Early reporting could compound an incident and lead to confusion and consumer uncertainty. Furthermore, the SEC should narrow some of its definitions to reduce the risk that overbroad definitions exhaust crucial resources or result in overreporting of incidents that may not necessarily constitute major events.
Notification. Reporting. Disclosure. What’s the difference?
The new disclosure requirements are in addition to existing incident notification and reporting obligations that banks must comply with in collaboration with federal regulators, law enforcement and CISA.
- Notification helps make regulators and law enforcement aware of ongoing incidents so that they can coordinate a multi-sector response.
- Incident reporting is a detailed after-action report to help the institution and regulators better understand the circumstances that led to the incident and to prevent future occurrences.
- Disclosure provides public transparency to investors so that they can make informed investment decisions.
To access a copy of the letter, please click here.
About the American Bankers Association
The American Bankers Association is the voice of the nation’s $23.7 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard $19.7 trillion in deposits and extend $11.2 trillion in loans.
About Bank Policy Institute
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.
About Independent Community Bankers of America
The Independent Community Bankers of America® creates and promotes an environment where community banks flourish. With more than 50,000 locations nationwide, community banks constitute 99 percent of all banks, employ nearly 750,000 Americans and are the only physical banking presence in one in three U.S. counties. Holding more than $5 trillion in assets, nearly $4 trillion in deposits, and more than $3.4 trillion in loans to consumers, small businesses and the agricultural community, community banks channel local deposits into the Main Streets and neighborhoods they serve, spurring job creation, fostering innovation and fueling their customers’ dreams in communities throughout America. For more information, visit ICBA’s website at www.icba.org.
About the Mid-Size Bank Coalition of America
Across the country mid-size banks are providing financial solutions to entrepreneurs, professionals, their businesses and their families. Mid-size banks fuel their growth and build stronger connections to the communities in which they operate. The MBCA is proud to be their voice and their self-help network.