“`html
Advocacy organizations within the American banking and finance sector have urged the Securities and Exchange Commission to annul its requirements for public disclosure of cybersecurity incidents.
On May 22, five United States banking associations, spearheaded by the American Bankers Association, requested the regulator to eliminate its mandate in a letter, asserting that revealing cybersecurity incidents “conflicts directly with confidential reporting requirements designed to safeguard critical infrastructure and alert potential victims.”
Included in this coalition are the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers, all of whom contended that the regulation undermines regulatory initiatives aimed at bolstering national cybersecurity.
The SEC’s Cybersecurity Risk Management rule, released in July 2023, mandates that companies swiftly disclose cybersecurity incidents like data breaches or hacks. Nonetheless, the banking associations argue that this regulation was flawed from inception and has proved problematic in execution since its implementation.
The banking entities stated that the “complex and restrictive disclosure delay mechanism” hampers incident responses and law enforcement, leading to “market confusion” between obligatory and voluntary disclosures.
Furthermore, public disclosure has been “exploited as a tactic of extortion by ransomware offenders to advance malicious aims,” and hasty disclosures exacerbate insurance and liability challenges for firms while “posing risks to honest internal dialogue and routine information sharing,” asserted the coalition.
The organizations specifically seek the withdrawal of “Item 1.05” from the SEC’s regulations for Form 8-K reporting and associated reporting stipulations relevant to Form 6-K.
Form 8-K serves to publicly inform investors in US public corporations of specified occurrences, including cybersecurity events, that may be significant to shareholders or the SEC.
“Importantly, without Item 1.05, investor interests will still be safeguarded, and we believe they would be more effectively served through the pre-existing disclosure system for reporting material information, potentially encompassing substantial cybersecurity incidents,” the stakeholders articulated.
Related: Hackers employing counterfeit Ledger Live app to steal seed phrases and deplete crypto
The complete petition included instances of confusion from participants, specific ransomware attack incidents, and documented clashes with regulations.
Public crypto companies affected
This requirement also influences publicly traded crypto firms like Coinbase, which revealed earlier this month that hackers had bribed its support personnel to disclose its user information.
This revelation resulted in the company facing at least seven lawsuits stemming from the incident.
Coinbase indicated that it declined a $20 million ransom demand after staff exposed user data during a significant phishing attack, which the exchange estimated could cost it as much as $400 million in damages.
If the SEC revokes the mandate, it may afford firms like Coinbase additional time to inform the public regarding cybersecurity incidents.
Magazine: Bitcoin bears target $69K, CZ denies WLF ‘fixer’ rumors: Hodler’s Digest
Source link
“`
