Joint Trades Letter to SEC on the Proposal re: Cyber Risk Management, Incident Reporting

Securities and Exchange Commission
100 F Street, NE
Washington, D.C. 20549-1090
Attn: Secretary, Securities and Exchange Commission

Ladies and Gentlemen:

The Bank Policy Institute (“BPI”), the American Bankers Association (“ABA”), the Independent Community Bankers of America (“ICBA”) and the Mid-Size Bank Coalition of America (“MBCA”) (collectively, the “Associations”), appreciate the opportunity to comment on the notice of proposed rulemaking (the “Proposed Rules”) issued by the U.S. Securities and Exchange Commission (the “Commission”) for registrants regarding disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance.

As the Commission is aware, the Proposed Rules and other new, federal notification requirements follow a series of cybersecurity attacks in the past two years that have harmed the U.S. public and private sectors. With respect to financial institutions, cybersecurity threats and incidents may endanger not only individual banks and their shareholders but also consumers, as well as the stability of U.S. financial markets. For this reason, the Cybersecurity and Infrastructure Security Agency (“CISA”) has designated the financial services sector a “critical infrastructure” sector and “a vital component of our nation’s critical infrastructure.” As designated by CISA, the sector includes “thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions,” including our members.

While cybersecurity threats are a newer challenge for companies in many industries, U.S. banks have long been a target of malicious cyber actors, and accordingly have invested in robust and ever-evolving measures to prevent, detect, and respond to cyber threats. Banks are leaders in the private sector in developing, maintaining, and enhancing cyber defenses. The industry invests billions of dollars each year in cybersecurity, shares cyber threat intelligence through a pioneering model that has been replicated across industries, and employs thousands of cybersecurity professionals in its efforts to protect not only market participants, but U.S. depositors, including the approximately 95% of U.S. households that maintain a bank account.

In addition to work within the industry, banks have worked collaboratively with federal law enforcement and regulators for many years in a shared mission to prevent, detect, and respond to cyber threats and incidents. Since 2002, the Financial Services Sector Coordinating Council—a group of financial trade associations, financial utilities, and the nation’s most critical financial firms—has worked collaboratively with key government agencies with the stated goal of protecting the financial services sector from cyber and physical incidents.

In recent years, as cybersecurity incident-reporting requirements have proliferated, our members have also worked collaboratively with these agencies to promote harmonization of reporting requirements to achieve an appropriate balance between the benefits of incident reporting and the risks, harms, and operational burdens that may be associated with reporting, particularly during a crisis in which restoring and ensuring the security of services to customers is paramount. In this regard, the Associations welcome the creation of the Cyber Incident Reporting Council, pursuant to Congress’s recent passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which will be vested with the authority to “coordinate, deconflict, and harmonize” cyber incident reporting requirements to relieve covered entities of the burden of submitting multiple reports while working to investigate and remediate a significant incident. The Associations also welcome the recent establishment of the White House Office of the National Cyber Director (“ONCD”), with the stated mission to ensure “federal coherence” in cyber policy, action, and doctrine and “improve public-private collaboration to tackle cyber challenges across sectoral lines.” Only a partnership and shared commitment between the public and private sectors can effectively mitigate the risk that malicious cyber actors pose to our country.

Consistent with this shared goal, since 2018, the Commission has provided guidance on public company cybersecurity disclosures (“2018 Guidance”) to promote clarity and consistency in reporting, while avoiding reporting requirements that could result in undue harm and security risks to market participants and others. Following the Commission’s principles-based approach to disclosure requirements, the 2018 Guidance recognizes, for example, “that a company may require time to discern the implications of a cybersecurity incident,” and states that the Commission does “not intend[] to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts.” We appreciate the statement in the preamble to the Proposed Rules that the 2018 Guidance will remain in place following the adoption of any final rules.

The Commission posits in the Proposed Rules that the 2018 Guidance is insufficient and that investors would benefit from additional detail and greater uniformity in cybersecurity reporting, but the limited materials cited lend little support for that proposition. In fact, the cited materials describe the enhancements and continuing, positive trends in public companies’ cybersecurity disclosures following the 2018 Guidance, and conclude that the Commission’s existing disclosure regime is adequate.

While the Associations support aspects of the Proposed Rules, we believe change is essential in several areas, including to harmonize the Proposed Rules with the 2018 Guidance. We propose revisions in those areas.

I. Executive Summary

• While we support the policy goals of the Proposed Rules, we believe that, as currently drafted, the Proposed Rules insufficiently take into account other policy goals, including ensuring the cybersecurity of registrants; protecting the safety and soundness of financial institutions; and identifying and bringing to justice the perpetrators of serious cybercrimes.
  
  
• The Proposed Rules impose requirements for the timing and content of disclosure of material cybersecurity incidents on Form 8-K without sufficient regard for the security risks and harms that such disclosures may pose in certain circumstances. Specifically, the very fact of disclosure that a cybersecurity incident is ongoing and unremediated may adversely impact a registrant’s ability to effectively respond to and remediate the incident, and significantly exacerbate the resulting risks and harms to the registrant and its shareholders, customers, and others.
  
  
  • The timing for the required disclosure of a cybersecurity incident on Form 8-K should be changed in the final rule to “four business days after the registrant has reasonably determined that the cybersecurity incident is no longer ongoing, and that public disclosure of the incident will not seriously jeopardize the security of the registrant.”
    
    
  • Registrants should not be required to disclose to what extent an incident has been remediated given the security risks that such disclosure would pose to them.
    
    
  • The instructions for the Form 8-K disclosure should incorporate the Commission’s statement, set forth in the preamble to the Proposed Rules, that “registrants are not expected to publicly disclose specific, technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrant’s response or remediation of the incident.”

Download the comment letter to read the full text.