The U.S. Securities and Exchange Commission was urged by the American Bankers Association, Securities Industry and Financial Markets Association, Bank Policy Institute, Institute of International Bankers, and the Independent Community Bankers of America to rescind cyber incident reporting requirements for domestic and foreign issuers under Form 8-K Item 1.05 and Form 6-K, respectively, according to The Cyber Express.
Mandating public firms to disclose cyber incidents within a four-day period would not only hinder the inclusion of more actionable insights for investments but also increase market confusion, said the groups, which noted that the ALPHV/BlackCat ransomware gang had weaponized the rule in a 2023 attack against MeridianLink. Such a rule from the SEC was also noted by the groups to potentially be in conflict with other confidential incident reporting requirements, indicating a threat to national security. "The complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations," said the groups.
Mandating public firms to disclose cyber incidents within a four-day period would not only hinder the inclusion of more actionable insights for investments but also increase market confusion, said the groups, which noted that the ALPHV/BlackCat ransomware gang had weaponized the rule in a 2023 attack against MeridianLink. Such a rule from the SEC was also noted by the groups to potentially be in conflict with other confidential incident reporting requirements, indicating a threat to national security. "The complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations," said the groups.
