US Banking Groups Urge SEC to Repeal Cybersecurity Disclosure Rule
A coalition of major U.S. banking organizations has formally requested that the Securities and Exchange Commission (SEC) repeal a rule that requires public companies to disclose significant cybersecurity incidents within four days.
In a letter submitted on May 22, five leading financial industry groups — including the American Bankers Association, Securities Industry and Financial Markets Association, Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers — argued that the SEC’s Cybersecurity Risk Management rule conflicts with existing federal protocols and could endanger national cybersecurity efforts.
Financial Sector Pushes Back on Public Disclosure Mandate
The SEC’s rule, adopted in July 2023, mandates that companies file a Form 8-K report within four days of identifying a “material” cyber event. The banking groups contend that this “complex and narrow” requirement creates confusion and poses security risks. They specifically called for “Item 1.05” to be removed from the 8-K reporting framework and its parallel application to Form 6-K, which applies to foreign issuers.
“Requiring public disclosure of cyberattacks so quickly can interfere with law enforcement investigations, increase the risk of further attacks, and has even been exploited by ransomware groups to pressure victims,” the letter states.
The groups argue that the rule also creates legal and insurance complications, and discourages internal transparency and cooperation during active incident responses.
Concerns About Weaponized Disclosures and Investor Confusion
According to the petitioners, criminals have begun weaponizing disclosure obligations, threatening to publicize incidents to trigger financial panic or regulatory repercussions unless companies pay ransom demands.
They also claim that investors’ interests would still be protected under the existing material disclosure requirements for public companies, without the need for an inflexible four-day rule.
“The pre-existing disclosure framework already allows for material cybersecurity incidents to be disclosed when appropriate, without the unnecessary risk of rushed or incomplete reporting,” the petition reads.
Crypto Companies Caught in the Crossfire
The SEC rule has also had ripple effects in the cryptocurrency sector. Earlier this month, Coinbase was forced to publicly disclose a major data breach in which hackers bribed support staff to obtain sensitive user data. The firm rejected a $20 million ransom and now faces at least seven lawsuits stemming from the incident.
Coinbase estimated the breach could cost the company up to $400 million in liabilities and remediation.
If the SEC grants the financial sector’s request and repeals or amends the rule, it could offer publicly traded companies — including crypto firms — more flexibility in disclosing cyberattacks while aligning regulatory compliance with national security interests.
The SEC has not yet responded to the petition.
