Global: U.S. Banking Groups Urge SEC to Repeal Cyber Incident Disclosure Mandate

A coalition of leading U.S. banking associations is urging the Securities and Exchange Commission (SEC) to repeal its rule mandating the disclosure of cybersecurity incidents within four days, arguing that the regulation poses a risk to national security and impedes effective incident response.

In a joint letter dated May 22, five influential financial industry bodies—led by the American Bankers Association (ABA) and including the Securities Industry and Financial Markets Association (SIFMA), the Bank Policy Institute (BPI), the Independent Community Bankers of America (ICBA), and the Institute of International Bankers (IIB)—petitioned the SEC to eliminate Item 1.05 of Form 8-K and corresponding Form 6-K provisions. These rules require public companies to disclose “material” cybersecurity breaches within four business days of determining materiality.

The groups argue that the disclosure requirement contradicts federal protocols designed to protect critical infrastructure and hampers coordinated responses to cyber threats. According to the petition, the mandate “undermines efforts to strengthen the national cybersecurity posture” and is at odds with confidential reporting obligations designed to alert government agencies and potential victims without tipping off cybercriminals.

The disclosure mandate, introduced under the SEC’s Cybersecurity Risk Management rule in July 2023, aims to improve transparency for investors. However, critics within the banking sector contend that the rule is not only narrowly defined and administratively burdensome, but also exposes firms to additional risks.

Key Concerns Raised Include:

• Operational Disruption: The mandated disclosure timeline could hinder law enforcement and incident response coordination.

• Legal and Insurance Implications: Early public disclosures may increase liability exposure and complicate cyber insurance claims.

• Cybercrime Exploitation: The groups warned that attackers have weaponized public disclosure threats as leverage in ransomware attacks.

• Market Confusion: Uncertainty around what constitutes “material” disclosure has led to inconsistent reporting and investor misunderstandings.

The petition contends that the existing SEC disclosure framework already provides adequate investor protection, including for cybersecurity-related risks, without the need for an additional, time-constrained reporting layer.

Broader Industry Implications

The rule has notably affected publicly traded cryptocurrency firms, such as Coinbase, which recently disclosed a major cyberattack involving internal bribery and a $20 million ransom demand. The incident resulted in at least seven lawsuits and projected damages of up to $400 million.

Should the SEC amend or revoke the rule, firms like Coinbase could benefit from more flexible timelines for disclosing cybersecurity breaches—potentially allowing for more measured, secure responses in the event of an attack.

The financial industry’s appeal highlights ongoing tension between transparency in public markets and the evolving complexities of cybersecurity governance. As digital infrastructure becomes increasingly critical to financial stability, regulatory frameworks are under growing scrutiny for how they balance disclosure, national security, and corporate liability.