Reforming Regulation S-K's Cybersecurity Disclosures (Joint Trades)

Summary

SIFMA, The American Bankers Association (ABA), Bank Policy Institute (BPI), Independent Community Bankers of America (ICBA), and Institute of International Bankers (IIB) provided comments to the SEC in response to Chair Atkins's request for public input on reforming Regulation S-K.

Excerpt

Our members are subject to extensive cybersecurity oversight and incident-reporting regimes administered by prudential regulators and federal agencies, in addition to the public disclosure requirements of the Commission's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. ¹ This letter focuses on Item 106 of Regulation S-K and the related cybersecurity incident disclosure mandate on Form 8-K, Item 1.05. ²

We welcome the Commission's comprehensive review of Regulation S-K and its effort to restore a materiality-centered, principles-based disclosure framework whereby companies assess disclosure obligations based on longstanding materiality standards. As noted in the recently released Cyber Strategy for America, cyber regulations should be streamlined to "reduce compliance burdens, address liability, and better align regulators and industry globally." ³ As part of the Commission's review, we urge the Commission to rescind Item 106.

We believe Item 106 places outsized weight on one risk type and requires disclosure of operational details inconsistent with a principles-based framework. Rescission of Item 106 would streamline disclosure and "eliminat[e] both the burdensome and the impractical," in alignment with Chair Atkins's strategy for the Commission's regulatory frameworks. ⁴ In the event the Commission does not rescind Item 106, we recommend that the Commission narrow and refocus Item 106 so that it elicits concise, decision-useful and materiality-centered information about cybersecurity risks and risk management, without burying investors in immaterial detail. In addition, as part of the Commission's review, we urge the Commission to rescind Form 8-K, Item 1.05. We believe that the pre-existing principles-based disclosure framework (including Form 8-K, Item 8.01 and periodic reporting requirements) adequately addresses disclosure of material cybersecurity incidents, as described in the joint petition for rulemaking submitted by our organizations last year. ⁵

I. The Commission Should Rescind Item 106

In 2022, our associations explained that the proposed cybersecurity rules raised serious policy and practical concerns, including the following: (1) the risk that bespoke, topic-specific line items for cybersecurity incidents would privilege one type of risk over others in a way that is inconsistent with the Commission's longstanding, principles-based regime11 and (2) security risks from prescriptive disclosures about cybersecurity. Although the Commission acknowledged many of the comments it received in the final rule, it did not resolve several issues with Item 106's requirements, including the concerns raised by our associations. These issues now warrant reconsideration in the context of Regulation S-K reform, particularly as compliance with Item 106's disclosure requirements has negatively impacted the members of our associations. For example, our member financial services firms devote significant attention and resources away from other important priorities to complying with Item 106's detailed disclosure requirements-leaving less time for other strategic security initiatives to fortify firm defenses. At the same time, the growing patchwork of overlapping cybersecurity rulemakings across federal agencies and state regimes further risks the diversion of finite resources away from proactive threat detection and toward prescriptive compliance exercises. Smaller and mid-sized financial services firms, in particular, find compliance challenging given their more limited resources.