X

Associations Urge SEC to Eliminate or Narrow Cyber Disclosure Mandates

Steven Lofchie Commentary by Steven Lofchie
"Cybersecurity risks, like other risks, should be disclosed when they are material and in the context that is most meaningful to investors—such as disclosing material risk factors for a registrant’s business or the registrant’s governance and management oversight structures—not through a stand-alone, prescriptive disclosure requirement."
Financial Association's Joint Comment Letter
"Cybersecurity risks, like other risks, should be disclosed when they are material and in the context that is most meaningful to investors—such as disclosing material risk factors for a registrant’s business or the registrant’s governance and management oversight structures—not through a stand-alone, prescriptive disclosure requirement."
Financial Association's Joint Comment Letter

A group of financial associations urged the SEC to either rescind or significantly narrow SEC disclosure requirements on cybersecurity because they force companies to reveal sensitive operational details and prematurely disclose ongoing cyber incidents.

In a comment letter on reforms to Regulation S-K ("Standard instructions for filing forms") and, specifically, Item 106 ("Cybersecurity,") the American Bankers Association, Bank Policy Institute, SIFMA, the Independent Community Bankers of America, and the Institute of International Bankers ("Associations,") the Associations asserted that the requirement to disclose detailed cybersecurity risk management and governance practices should be eliminated entirely. The Associations claimed that the current mandate places an outsized weight on a single type of risk and forces companies to reveal operational details that could provide a roadmap for malicious acts. The Associations argued that this prescriptive approach conflicts with the administration's deregulatory agenda and the commission's historical principles-based framework.

The Associations argued that the mandate for rapid public disclosure of material cybersecurity incidents must also be rescinded. The Associations stated that forcing companies to publicly report incidents within four business days interferes with active threat mitigation and provides limited time for assessment. They said that this premature disclosure requirement has caused widespread confusion, led to over-reporting of immaterial events, and has even been weaponized by cybercriminals for extortion.

The Associations stated that if the agency fails to rescind the mandates, the definitions and requirements of the rule should be significantly narrowed. They emphasized that any retained rules should focus strictly on material information rather than granular operational details. They also requested that if the disclosure requirements remain in place, the agency should provide an explicit safe harbor protecting forward-looking statements about the scope and impact of cyber incidents from liability. The Associations also noted that any regulatory changes should apply equally to foreign private issuers to ensure parity across all types of companies.

Commentary

Steven Lofchie
Steven Lofchie

The view under the prior administration that disclosure is virtually always a benefit fails to take into consideration that disclosure is both costly to provide and often results in injury to the entity making the disclosure that is not compensated by any market benefit.

 

Primary Sources

  1. Joint Trades Letter to the SEC on Reforming Regulation S-K's Cybersecurity Disclosures

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Jurisdiction
US - Federal
Organization
Trade / Industry Associations
Sub-Author
American Bankers Assoc., Bank Policy Institute, ICBA, Institute of International Bankers, SIFMA