A group of banking industry associations has officially urged the U.S. Securities and Exchange Commission to revoke a cybersecurity breach reporting rule introduced during the Biden administration. The rule requires public companies to disclose material cybersecurity breaches within four business days of determining their significance. Patrick Warren, Vice President of Regulatory Technology for BITS, the technology policy division of the Bank Policy Institute, stated, “We hope that the SEC will take action to rescind this rule’s premature disclosure requirements, which undermine the resiliency of the U.S. financial system.”
The industry groups expressed concern that the rule hampers communication with stakeholders and conflicts with other reporting requirements specific to financial institutions. In May 2024, SEC’s Erik Gerding clarified that immaterial breaches should be reported under alternative Form 8-K items, such as Item 8.01, rather than the breach reporting rule. The letter also referenced the minimal number of companies that confirmed a material impact in initial filings. With newly appointed SEC Chairman Paul Atkins anticipated to review regulations considered overly burdensome, the banking sector is optimistic that the rule will be revised to better reflect practical compliance and risk management requirements.
