Proposed Rules Regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Requirements (File No. S7-09-22)
Securities and Exchange Commission
100 F Street, NE
Washington, D.C. 20549-1090
Attn: Secretary, Securities and Exchange Commission
Ladies and Gentlemen:
The Bank Policy Institute (“BPI”), the American Bankers Association (“ABA”), the Independent Community Bankers of America (“ICBA”) and the Mid-Size Bank Coalition of America (“MBCA”) (collectively, the “Associations”), appreciate the opportunity to comment on the notice of proposed rulemaking (the “Proposed Rules”) issued by the U.S. Securities and Exchange Commission (the “Commission”) for registrants regarding disclosure of material cybersecurity incidents, as well as cybersecurity risk management, strategy, and governance.
As the Commission is aware, the Proposed Rules and other new, federal notification requirements follow a series of cybersecurity attacks in the past two years that have harmed the U.S. public and private sectors. With respect to financial institutions, cybersecurity threats and incidents may endanger not only individual banks and their shareholders but also consumers, as well as the stability of U.S. financial markets. For this reason, the Cybersecurity and Infrastructure Security Agency (“CISA”) has designated the financial services sector a “critical infrastructure” sector and “a vital component of our nation’s critical infrastructure.” As designated by CISA, the sector includes “thousands of depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities and services that support these functions,” including our members.
While cybersecurity threats are a newer challenge for companies in many industries, U.S. banks have long been a target of malicious cyber actors, and accordingly have invested in robust and ever-evolving measures to prevent, detect, and respond to cyber threats. Banks are leaders in the private sector in developing, maintaining, and enhancing cyber defenses. The industry invests billions of dollars each year in cybersecurity, shares cyber threat intelligence through a pioneering model that has been replicated across industries, and employs thousands of cybersecurity professionals in its efforts to protect not only market participants, but U.S. depositors, including the approximately 95% of U.S. households that maintain a bank account.
In addition to work within the industry, banks have worked collaboratively with federal law enforcement and regulators for many years in a shared mission to prevent, detect, and respond to cyber threats and incidents. Since 2002, the Financial Services Sector Coordinating Council—a group of financial trade associations, financial utilities, and the nation’s most critical financial firms—has worked collaboratively with key government agencies with the stated goal of protecting the financial services sector from cyber and physical incidents.
In recent years, as cybersecurity incident-reporting requirements have proliferated, our members have also worked collaboratively with these agencies to promote harmonization of reporting requirements to achieve an appropriate balance between the benefits of incident reporting and the risks, harms, and operational burdens that may be associated with reporting, particularly during a crisis in which restoring and ensuring the security of services to customers is paramount. In this regard, the Associations welcome the creation of the Cyber Incident Reporting Council, pursuant to Congress’s recent passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), which will be vested with the authority to “coordinate, deconflict, and harmonize” cyber incident reporting requirements to relieve covered entities of the burden of submitting multiple reports while working to investigate and remediate a significant incident. The Associations also welcome the recent establishment of the White House Office of the National Cyber Director (“ONCD”), with the stated mission to ensure “federal coherence” in cyber policy, action, and doctrine and “improve public-private collaboration to tackle cyber challenges across sectoral lines.” Only a partnership and shared commitment between the public and private sectors can effectively mitigate the risk that malicious cyber actors pose to our country.
Consistent with this shared goal, since 2018, the Commission has provided guidance on public company cybersecurity disclosures (“2018 Guidance”) to promote clarity and consistency in reporting, while avoiding reporting requirements that could result in undue harm and security risks to market participants and others. Following the Commission’s principles-based approach to disclosure requirements, the 2018 Guidance recognizes, for example, “that a company may require time to discern the implications of a cybersecurity incident,” and states that the Commission does “not intend[] to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts.” We appreciate the statement in the preamble to the Proposed Rules that the 2018 Guidance will remain in place following the adoption of any final rules.
The Commission posits in the Proposed Rules that the 2018 Guidance is insufficient and that investors would benefit from additional detail and greater uniformity in cybersecurity reporting, but the limited materials cited lend little support for that proposition. In fact, the cited materials describe the enhancements and continuing, positive trends in public companies’ cybersecurity disclosures following the 2018 Guidance, and conclude that the Commission’s existing disclosure regime is adequate.
While the Associations support aspects of the Proposed Rules, we believe change is essential in several areas, including to harmonize the Proposed Rules with the 2018 Guidance. We propose revisions in those areas.
Download the comment letter to read the full text.