Via Electronic Mail

Ms. Vanessa Countryman
Secretary
U.S. Securities and Exchange Commission
100 F Street NE
Washington, D.C. 20549

Re: Petition for Rulemaking on the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule

Dear Ms. Countryman,

The American Bankers Association,¹ Bank Policy Institute,² Securities Industry and Financial Markets Association,³ Independent Community Bankers of America,⁴ and Institute of International Bankers⁵ respectfully petition the Securities and Exchange Commission pursuant to Rule 192 of the SEC’s Rules of Practice,⁶ for a rulemaking to amend the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. When the rule was first proposed and enacted, concerns that the SEC had exceeded its authority and expertise and that the rule was deeply flawed were raised by the dissenting commissioners, by Congress, and by businesses across multiple sectors, including the financial services industry.⁷ While we continue to have significant concerns regarding the rule as a whole—including the requirements of Regulation S-K Item 106 relating to cybersecurity risk management, strategy, and governance disclosures—we believe the most urgent and problematic aspects are the cybersecurity incident disclosure mandates under Form 8-K Item 1.05 for domestic issuers and under Form 6-K for foreign private issuers, both of which require rapid—often premature— disclosure of material cybersecurity incidents. These requirements impose additional risks, cost, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors. Accordingly, this petition requests the rescission of both Form 8-K Item 1.05 and the corresponding Form 6-K requirements.⁸

In the year and a half since Item 1.05 became effective, the fears expressed by industry have manifested.

• Premature Disclosure: Registrants have been forced to publicly disclose an incident even if it is ongoing, the company’s investigation is not complete, and the incident has not been fully remediated.
• Unhelpful to Investors: The premature disclosure has harmed registrants and at the same time failed to provide the market with meaningful or actionable information upon which to make investment decisions.
• Confusion: The rule has been met with significant confusion, including about when to file under Item 1.05, 8.01 or neither. This has persisted despite the SEC’s repeated attempts to clarify the rule through Compliance & Disclosure Interpretations,⁹ commissioner statements,¹⁰ and comment letters.¹¹

The SEC previously expressed that it was not persuaded that the risks relating to Item 1.05 identified by industry would come to pass. The staff of the SEC has since found it necessary to create a patchwork of guidance and comment letters in an attempt to address these risks. We continue to believe that Item 1.05 was flawed in its conception, and request that the SEC review the record and reconsider.

We respectfully request that the SEC rescind Item 1.05 because: (1) publicly disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims, thereby compromising coordinated regulatory efforts to enhance national cybersecurity; (2) the complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations; (3) it has created market confusion and uncertainty as companies struggle to distinguish between mandatory and voluntary disclosures; (4) the incident disclosure requirement has been weaponized as an extortion method by ransomware criminals to further malicious objectives, and may subject disclosing companies to additional cybersecurity threats; (5) insurance and liability implications of premature disclosures can exacerbate financial and operational harm to registrants; and (6) the public disclosure requirement risks chilling candid internal communications and routine information sharing.

Critically, without Item 1.05, investor interests will still be protected, and we believe they would be better served, through the pre-existing disclosure framework for reporting material information—which may include material cybersecurity incidents—while better mitigating the concerns raised above.

1. The American Bankers Association is the voice of the nation’s $24.1 trillion banking industry, which is composed of small, regional, and large banks that together employ approximately 2.1 million people, safeguard $19.2 trillion in deposits, and extend $12.7 trillion in loans. [↩]
2. The Bank Policy Institute is a nonpartisan public policy, research, and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues. Business, Innovation, Technology and Security (“BITS”), BPI’s technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation,
   reduce fraud, and improve cybersecurity and risk management practices for the financial sector. [↩]
3. SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and
   related products and services. We serve as an industry-coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (“GFMA”). [↩]
4. The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation. As local and trusted sources of credit, America’s community banks leverage their relationship-based business model and innovative offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers’ financial goals and dreams. [↩]
5. The Institute of International Bankers (“IIB”) represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the
   United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions also enhance the depth and liquidity of U.S. financial markets and contribute significantly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures. [↩]
6. 17 C.F.R. § 201.192(a). [↩]
7. See Bank Policy Institute, American Bankers Assoc., Independent Community Bankers of America, and Mid-Size Banking Coalition of America, Comment Letter on Proposed Rules Regarding Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Requirements (May 9, 2022), https://www.sec.gov/comments/s7-09-22/s70922-20128336-291093.pdf [hereinafter BPI Comment Letter]. [↩]
8. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896, 51945 (Aug. 4, 2023) [hereinafter Cybersecurity Disclosure Rule]. [↩]
9. Compliance and Disclosure Interpretations, Exchange Act Form 8-K, Questions 104B.01 – 104B.09 (June 24, 2024),
   U.S. SEC. & EXCH. COMM’N., https://www.sec.gov/rules-regulations/staff-guidance/compliance-disclosure-
   interpretations/exchange-act-form-8-k#104b. [↩]
10. Erik Gerding, Disclosure of Cybersecurity Incidents Determined To Be Material and Other Cybersecurity Incidents, U.S. SEC. & EXCH. COMM’N. (May 21, 2024), https://www.sec.gov/newsroom/speeches-statements/gerding-cybersecurity-incidents-05212024 [hereinafter Gerding Statement]. [↩]
11. The SEC issued comment letters to most of the registrants that filed Item 1.05 Forms 8-K in the first seven months the rule was in effect, and many of those letters demonstrate a fundamental disagreement between registrants and the SEC in the interpretation of the rule. See, e.g., Letter from the Staff of the Div. of Corp. Fin., Sec. & Exch. Comm’n, to AT&T Inc. (July 26, 2024), https://www.sec.gov/Archives/edgar/data/732717/000000000024008480/filename1.pdf; Letter from the Staff of
    the Div. of Corp. Fin., Sec. & Exch. Comm’n, to AT&T Inc. (Aug. 19, 2024), https://www.sec.gov/Archives/edgar/data/732717/000000000024009500/filename1.pdf [hereinafter, collectively,
    the AT&T Letters].
12. Weaponization by Hackers: In multiple instances threat actors have used the rule’s prescriptive requirements as additional extortion leverage. (( See, e.g., AlphV files an SEC complaint against MeridianLink for not disclosing a breach to the SEC (2), DATABREACHES.NET (Nov. 15, 2023), https://databreaches.net/2023/11/15/alphv-files-an-sec-complaint-against-
    meridianlink-for-not-disclosing-a-breach-to-the-sec/ [hereinafter the AlphV Incident Article]. [↩]