The US banking industry is lobbying to rescind one of the US Securities and Exchange Commission’s (SEC) latest rules on cyber incident reporting.
The group includes the American Bankers Association (ABA), the Bank Policy Institute (BPI), the Securities Industry and Financial Markets Association (SIFMA), the Independent Community Bankers of America (ICBA) and the Institute of International Bankers (IIB).
The rule, officially called the “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule,” was adopted by the SEC in July 2023.
It requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality, with a description of the material aspects of the incident’s nature, scope and timing, as well as its material impact or reasonably likely material impact on the registrant.
This requirement amends Form 8-K by adding Item 1.05 for US-based companies and amends Form 6-K for foreign companies operating in the US.
Additionally, companies must annually report on their cybersecurity risk management, strategy and governance practices.
Disclosure Complexity and Compliance Confusion
In a…
