A coalition of US financial trade associations are calling on the Securities and Exchange Commission to rescind its cyber incident disclosure rule, claiming that it endangers victims.
The rule, which came into force two years ago, requires public companies to disclose material cyber incidents within four business days. At the time, then SEC chair Gary Gensler said the rule would "benefit investors, companies, and the markets connecting them".
However, industry players have chaffed at the added cost and complexity of the rule, prompting the Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers, and Securities Industry and Financial Markets Association to file a petition.
Contrary to protecting firms and investors, the rule puts cyberattack victims at greater risk and undermines the SEC’s primary goal of protecting investors, say the associations.
By requiring public companies to prematurely disclose breaches before the vulnerability has been remediated, the SEC risks further harming victims, they say. The rule also puts a strain on national security and law enforcement resources, creates market confusion, and chills internal communications.
In addition, the petition argues that the rule actually gives ransomware groups a tool to extort victims, citing the example of the AlphV gang reporting its own victim, MeridianLink, to the SEC as a ransom payment extortion tactic.
“These requirements impose additional risks, cost and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” write the groups.