TheCorporateCounsel.net

Last week, a group of financial services industry trade associations submitted a joint petition for rulemaking to the SEC requesting that the agency amend the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule that was adopted in 2023. The petition focuses on the requirement to file current reports under Item 1.05 of Form 8-K to disclose material cybersecurity incidents.

The petition was submitted by the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and Institute of International Bankers. The groups note that “[w]hile we continue to have significant concerns regarding the rule as a whole— including the requirements of Regulation S-K Item 106 relating to cybersecurity risk management, strategy, and governance disclosures—we believe the most urgent and problematic aspects are the cybersecurity incident disclosure mandates under Form 8-K Item 1.05 for domestic issuers and under Form 6-K for foreign private issuers, both of which require rapid—often premature— disclosure of material cybersecurity incidents.”
In support of the request to revisit the Item 1.05 disclosure requirement, the petition notes a number of key concerns:

We respectfully request that the SEC rescind Item 1.05 because: (1) publicly disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims, thereby compromising coordinated regulatory efforts to enhance national cybersecurity; (2) the complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations; (3) it has created market confusion and uncertainty as companies struggle to distinguish between mandatory and voluntary disclosures; (4) the incident disclosure requirement has been weaponized as an extortion method by ransomware criminals to further malicious objectives, and may subject disclosing companies to additional cybersecurity threats; (5) insurance and liability implications of premature disclosures can exacerbate financial and operational harm to registrants; and (6) the public disclosure requirement risks chilling candid internal communications and routine information sharing.

Critically, without Item 1.05, investor interests will still be protected, and we believe they would be better served, through the pre-existing disclosure framework for reporting material information— which may include material cybersecurity incidents—while better mitigating the concerns raised above.

As noted in this blog, Debevoise’s Data Strategy and Security group assisted the five trade associations in preparing the joint petition for rulemaking.

It remains to be seen to what extent the SEC will undertake any changes to the cybersecurity disclosure rules in response to this petition for rulemaking or otherwise. It does appear that the SEC is very much in “listening mode” on the topic of regulatory reform, so it is possible that this is an area the SEC will choose to focus on as it seeks to revisit some of the rulemaking that was completed by the agency over the past four years.

– Dave Lynn