- US banks push back toward a cyberattack -revelation rule
- Banks say it adds complexity and strain to their systems
- Banks especially do not want to reveal running cyberattacks
A group of US banks are pushing back to a recent US security and exchange commission (SEC) that requires public companies, including banks, to pass on cyber attacks.
Banks claim that the ruling adds unnecessary strain and complexity to their operations and potentially requires the detection of cyber events before internal studies are completed and the extent of the assessed damage.
The group’s members include the American Bankers Association (ABA), Bank Policy Institute (BPI), Securities Industry and Financial Markets Association (SIFMA), Independent Community Bankers of America (ICBA) and Institute of International Bankers (IIB).
Sec and Bank’s Butt Heads
The rule, formally known as “cybersecurity risk management, strategy, governance and incidental information rule”, was introduced in July 2023.
Not only does it outline it unveiling procedures for cyber events, such as impact, times and scope of the incident, but also requires public companies to provide a report on their cyber security risk steering, strategy and management practices every year.
A public statement issued by the Bank Policy Institute said: “This rule requires public companies to reveal material cyber events within four working days, adding to an already complex list of reporting and information obligations that financial institutions and other critical infrastructure sectors must follow. Department of Homeland Security Issued a report in 2023 that identified 45 different federal requirements for cyber event reporting, administered by 22 federal agencies. “
Banks also claim that the rule could apply additional pressure to banks and their customers during ransomware attacks, as attackers could point out unmet revelations as a means of extortion.
The banking group lobbed against the rule in 2023 and requested a 12 -month extension to data protection and requirements for cyber security changes.
Similarly, in Australia, a new rule has come in to force that requires all organizations with an annual turnover of AUS $ 3M ($ 1.93m) to reveal ransomware payments within 72 hours, including amounts, currency and time of communication with the striker.
Via Infosecurity Magazine
