Banking Groups Push SEC to Drop Cybersecurity Disclosure Rule

Banking Groups Urge SEC to Repeal Cybersecurity Incident Disclosure Rule

Major U.S. banking and financial industry groups are pressing the Securities and Exchange Commission (SEC) to roll back its rule requiring public companies to disclose cybersecurity incidents within four days.

In a formal letter sent on May 22, five leading financial advocacy organizations — spearheaded by the American Bankers Association — urged the SEC to rescind the controversial disclosure requirement, arguing that it conflicts with existing regulations designed to protect critical infrastructure and alert potential victims discreetly.

The coalition, which also includes the Securities Industry and Financial Markets Association, the Bank Policy Institute, the Independent Community Bankers of America, and the Institute of International Bankers, warned that the SEC’s rule compromises national cybersecurity efforts rather than strengthening them.

A Flawed Rule, According to the Industry

The SEC’s Cybersecurity Risk Management rule, adopted in July 2023, mandates that companies disclose material cybersecurity incidents — including data breaches, ransomware attacks, or hacks — through public filings like Form 8-K within four business days.

However, the banking groups argue that this requirement has proven impractical and counterproductive in real-world scenarios.

They claim that the “complex and narrow disclosure delay mechanism” built into the rule hampers timely incident response, interferes with law enforcement operations, and creates unnecessary “market confusion” between mandatory disclosures and voluntary information sharing.

“Public disclosure has, in some cases, been weaponized by ransomware criminals as an extortion tool to further their malicious objectives,” the groups wrote in their petition. They also warned that premature or rushed disclosures exacerbate insurance and liability risks and may discourage frank internal communication within companies during sensitive investigations.

Some of the banking groups’ claims and fears regarding the ruling. Source: SIFMA

Focus on Form 8-K and Item 1.05

Specifically, the banking groups are targeting Item 1.05 of the SEC’s Form 8-K requirements, which covers material cybersecurity incidents. They are also asking for the parallel reporting requirements under Form 6-K (used by certain foreign private issuers) to be repealed.

Form 8-K is the primary mechanism through which U.S. public companies notify investors and regulators of significant events, including security breaches, that could materially impact shareholder interests.

The groups argue that removing Item 1.05 would not harm investors because companies are already obligated under existing rules to report material events, including cybersecurity incidents, when appropriate. In their view, the pre-existing framework is sufficient and better suited to balancing transparency with operational security.

Crypto Companies in the Crosshairs

The SEC’s disclosure rule doesn’t just affect traditional financial institutions; it also impacts publicly traded cryptocurrency firms like Coinbase.

Earlier this month, Coinbase disclosed that hackers had bribed one of its support staff members to leak sensitive user data — a disclosure that led to at least seven lawsuits filed against the company.

Coinbase reported that it had refused a $20 million ransom demand following the phishing attack, warning that the breach could cost the company up to $400 million in damages.

Industry watchers note that if the SEC rolls back its disclosure requirements, crypto firms like Coinbase would gain more flexibility and time in deciding when and how to report cybersecurity incidents to the public — potentially reducing their legal and financial exposure.

What Comes Next?

The banking groups’ petition to the SEC includes documented examples of regulatory conflicts, specific ransomware incidents, and confusion among affected companies. Whether the SEC will heed these calls remains to be seen, but the debate highlights the growing tension between transparency and security in the digital age.

For now, both investors and companies will be watching closely to see if the SEC modifies its approach to balancing market disclosure with national cybersecurity priorities.