- American banks postpone against a rule of disclosure of cyber attacks
- Banks say it adds complexity and tension to their systems
- Banks especially do not want to disclose cyber attacks in progress
A group of American banks repels against a recent decision by the American titles and exchange commission (SEC) which obliges public companies, including banks, to disclose cyber attacks.
Banks argue that the decision adds unnecessary tension and complexity to their operation, and potentially requires the disclosure of cyber-incidents before the end of internal surveys, and the scope of the damage evaluated.
Group members include the American Bankers Association (ABA), the Bank Policy Institute (BPI), the Securities Industry and Financial Markets Association (SIFMA), the Independent Community Bankers of America (ICBA) and the Institute of International Bankers (IIB).
Heads
The rule, officially known as the “rule of disclosure of cybersecurity risks, risk management, governance and disclosure of incidents”, was introduced in July 2023.
Not only does he describe the disclosure procedures for cyber-incidents, such as the impact, schedules and scope of the incident, but also obliges public enterprises to provide a report on their management of cybersecurity risks, their strategy and governance practices each year.
A public statement published by the Bank Policy Institute said: “This rule obliges public companies to disclose significant cyber-incidents within four working days, adding to an already complex list of reports and disclosure obligations that financial institutions and other critical infrastructure sector companies must follow. Internal Security Department published a report in 2023 by identifying 45 requirements for different cyber-incident reports, administered by 22 federal agencies. “”
Banks also argue that the rule could apply additional pressure on banks and their customers during ransomware attacks, as attackers could highlight unseat disclosure as a means of extortion.
The banking group put pressure on the rule in 2023 and requested an extension of 12 months to the data protection and cybersecurity requirements.
Likewise in Australia, a new rule came to force who requires that all organizations with an annual turnover of $ 3 million in ($ 1.93 million) disclose ransomware payments within 72 hours, including the amount, the currency and the schedules of communications with the attackers.
Via Infosecurity magazine
