Banks Call for Changes to SEC Cybersecurity Proposals

A coalition of banking sector trade bodies have written to the SEC calling for changes to its planned new rulebook on cybersecurity.

The Bank Policy Institute (BPI), the American Bankers Association (ABA), the Independent Community Bankers of America and the Mid-Sized Bank Coalition of America, collectively expressed support for the proposals but warned that they “insufficiently take into account other policy goals”.

According to the letter, targets such as ensuring the cybersecurity of parties, protecting the soundness of financial institutions, and identifying and punishing perpetrators of cybercrime, were not met.

The coalition stated that the timing and content requirements for incident disclosures were made “without sufficient regard” of potential security risks.

The letter stated: “Specifically, the very fact of disclosure that a cybersecurity incident is ongoing and unremediated may adversely impact a registrant’s ability to effectively respond to and remediate the incident, and significantly exacerbate the resulting risks and harms to the registrant and its shareholders, customers, and others.”

The organizations also stated that periodic disclosures should not be required to reveal the nature or status of remediation activities, including alterations to cybersecurity policies. They claimed that publishing such details would “assist” threat perpetrators who will look for ways to comprise information systems.

They also took issue with the proposed requirement for banks to disclose details of their selection and oversight of third-party entities, including contractual requirements used to tackle security risks.

The letter said banks “should only be required to disclose high-level information, including confirmation that policies and procedures are appropriately applied to third-party selection and ongoing oversight”.

The SEC recently doubled its digital finance oversight team, with the addition of 20 new staff to the newly-rebranded Crypto Assets and Cyber Unit, a part of its enforcement division.