US Banks Resist Cyberattack Disclosure Rule: A Breakdown
Banks in the United States resist disclosing breaches they've suffered through cyberattacks
In a fight against regulations, a group of US banks led by organizations like the American Bankers Association (ABA), Bank Policy Institute (BPI), Securities Industry and Financial Markets Association (SIFMA), Independent Community Bankers of America (ICBA), and Institute of International Bankers (IIB) are challenging the cyberattack disclosure rule imposed by the US Securities and Exchange Commission (SEC).
Here's why they find the rule unpalatable:
- Burden on Systems: The rule adds an unwanted layer of complexity and strain to the banks' systems, potentially requiring disclosure of cyber incidents before internal investigations have been completed and the extent of damage properly assessed.
- Confidential Reporting Conflicts: The rule's disclosure requirements are at odds with confidential reporting requirements designed to safeguard critical infrastructure and notify potential victims.
- Interference in Incident Response: The disclosure requirements seemingly interfere with incident response efforts and law enforcement investigations, as the time-bound disclosure requirements could hamper these processes.
- Market Confusion: The rule may create confusion in the market between mandatory and voluntary disclosures, leading to misinformation and unnecessary alarm among investors.
- Ransomware Extortion: Fear of premature disclosures being used by ransomware attackers for extortion purposes drives banks' concerns. This could exacerbate insurance and liability issues, stifle internal communications and information sharing.
- Insufficient Investor Protection: Banks argue that the existing disclosure framework for material information is comprehensive enough to protect investor interests, and the addition of the cybersecurity disclosure rule (Item 1.05) is unnecessary.
- Regulatory Conflicts: The banks feel the rule undermines efforts to bolster national cybersecurity by creating regulatory conflicts and disrupting effective incident management.
In the Australian landscape, a recent rule now mandates organizations with an annual turnover of AUD 3 million to disclose ransomware payments within 72 hours, including details like the amount and timing of communications with attackers.
[Source: Infosecurity Magazine]
Curious to learn more? Check out:
- Top Antivirus Solutions
- Best Password Managers
- Navigating SEC rules and their impact on business cybersecurity
Want to stay updated on the latest trends and expert insights? Subscribe to our Pro newsletter today!
- The ongoing dispute over the cyberattack disclosure rule in the US involves organizations like the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and Institute of International Bankers, who argue that the rule's requirements could interfere with incident response efforts, increase market confusion, and potentially facilitate ransomware extortion.
- In a related development, Australian regulations now require organizations with an annual turnover of AUD 3 million to disclose ransomware payments within 72 hours, including details about the amount and timing of communication with attackers.
- The US Securities and Exchange Commission's cyberattack disclosure rule is being viewed as a potential threat to national cybersecurity, as banks believe it creates regulatory conflicts and disrupts effective incident management.
- As the cybersecurity landscape continues to evolve and impact various industries, including finance and banking-and-insurance, it is crucial for policy-and-legislation makers to consider the implications on general-news and technology, ensuring regulations are both effective and minimally burdensome on industry players.
