- US banks are going back against a cyber dissemination rule
- Banks say add complexity and tension to their systems.
- Banks especially do not want to reveal ongoing cyber attacks
A group of US banks is rejecting a recent failure of the United States Stock Exchange and Securities Commission (SEC) that requires public companies, including banks, revealing cyber attacks.
Banks argue that the ruling adds unnecessary tension and complexity to their operation, and potentially requires the dissemination of cyber incidents before internal investigations have been completed, and the scope of the damage evaluated.
The group members include the American Banqueros Association (ABA), the Bank Policy Institute (BPI), the Securities Industry and the Association of Financial Markets (SIFMA), the Independent Community Bankers of America (ICBA) and the International Banqueros Institute (IIB).
Tops SEC head and banks
The rule, formally known as “cybersecurity, strategy, governance and dissemination of incident,” was introduced in July 2023.
Not only describes the dissemination procedures for cyber incidents, such as the impact, times and scope of the incident, but also requires that public companies provide a report on their cybersecurity risk management, strategy and governance practices every year.
A public statement issued by the Bank Policy Institute said: “This rule requires that public companies disseminate material cybernetic incidents within four business days, which adds to an already complex list of reporting and dissemination obligations that financial institutions and other critical companies in the infrastructure sector must follow. National Security Department He issued a report in 2023 identifying 45 requirements for federal reports of federal cyber incidents, administered by 22 federal agencies. “
Banks also argue that the rule could apply additional pressure on banks and their clients during ransomware attacks, since attackers could point out unfulfilled disseminations as an extortion medium.
The banking group pressed against the rule in 2023, and requested an extension of 12 months to the data protection requirements and cybersecurity amendments.
Similarly, in Australia, it has become a new rule that requires that all organizations with an annual turnover of Aus $ 3M ($ 1.93 million) disseminate ransomware payments within 72 hours, including the amount, currency and schedules of communications with the attackers.
Through Infosecurity magazine
