Washington, D.C. — The Securities and Exchange Commission finalized a rule today that requires public companies to notify investors when a cybersecurity incident has occurred, even if that incident is ongoing and exposes potential vulnerabilities at other companies or sectors. Heather Hogsett, senior vice president, technology and risk strategy for BITS — the technology policy division of BPI — issued the following statement:
The SEC’s cyber disclosure rule risks harming the very investors it purports to protect by prematurely publicizing a company’s vulnerabilities. No reasonable investor would want premature disclosure of a cyber event to malicious actors or a hostile nation-state, which could exacerbate security risks and creates a recipe for disaster the next time a major cyber incident occurs.
Since 2022, the SEC has proposed five separate rules to require companies to inform investors of their cybersecurity risk management practices. BPI has previously called upon the SEC to:
- Coordinate with law enforcement and other stakeholders: There should be a mechanism that allows companies, in coordination with law enforcement and other regulators, flexibility to delay disclosures, focus resources on remediation and prevent widespread exploitation of an ongoing vulnerability.
- Harmonize this new rule with existing disclosure requirements. Financial institutions — unlike other industries — must adhere to a long list of other federal and state obligations. These regulations include the Gramm-Leach-Bliley Act, the prudential financial regulators’ Computer-Security Incident Notification Rule, the New York Department of Financial Services Cybersecurity Regulation and other state-specific requirements. Financial institutions will also soon be required to comply with the Cyber Incident Reporting for Critical Infrastructure Act.
Banks are leaders in cybersecurity and have a long history of working across the industry and with the government to better protect consumers. Learn more about some of the other ways that banks are working to protect their customers:
- Financial Services Information Sharing and Analysis Center – shares cyber threat information across the industry with more than 5,000 members, helping firms better protect themselves against attacks
- Financial Services Sector Coordinating Council – strengthens the resiliency of the financial sector against cyber-attacks and other threats by promoting protection, driving preparedness, collaborating with government partners and regulators, and coordinating crisis response
- Analysis and Resilience Center for Systemic Risk – works to mitigate systemic risk to the nation’s most critical financial infrastructure and facilitate operational collaboration between firms and the U.S. government
- Cyber Risk Institute – enhances and maintains the Financial Services Profile, the benchmark for cybersecurity and resiliency in the financial services industry
- Early Warning Services – provides network intelligence to help banks prevent identity theft and fraudulent account opening and safely facilitate faster payments
- Sheltered Harbor – provides financial institutions with a standardized approach to securely store and restore customer account data in the event of a disaster
- fTLD – provided enhanced and secure website domain service for banks and insurance companies
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.