Introduction
The US banking industry is actively lobbying for the repeal of a cybersecurity rule established by the US Securities and Exchange Commission (SEC) in July 2023. This rule requires public companies to disclose significant cybersecurity incidents promptly, a mandate that the banking sector argues is impractical and potentially harmful.
Description
The US banking industry is actively seeking to repeal the Cybersecurity Risk Management, Strategy [3] [4] [6], Governance [3] [4] [6], and Incident Disclosure Rule established by the US Securities and Exchange Commission (SEC) in July 2023. This rule mandates that public companies disclose significant cybersecurity incidents [3] [4], such as data breaches or hacks [5], within four business days of determining their materiality [3] [4], including details on the incident’s nature [3], scope [3] [4], timing [3] [4], and its material impact or potential impact on the company [3]. Additionally, it requires annual reporting on cybersecurity risk management and governance practices [3] [4].
Major organizations involved in this lobbying effort include the American Bankers Association (ABA) [3], the Bank Policy Institute (BPI) [3] [4] [6], the Securities Industry and Financial Markets Association (SIFMA) [2] [3] [4], the Independent Community Bankers of America (ICBA) [3] [4], and the Institute of International Bankers (IIB) [3] [4]. The banking groups argue that the four-day reporting timeline is impractical and complicates incident reporting, straining resources and adding to an already complex landscape of federal cyber incident reporting requirements identified by the Department of Homeland Security [4]. They contend that premature disclosures can interfere with ongoing investigations [2], create market confusion [6], and lead to legal chaos, potentially jeopardizing incident containment and law enforcement efforts [2].
Critics assert that the rule has backfired by forcing disclosures during active investigations [2], which may inadvertently give attackers an advantage. A recent breach at Coinbase [1], where attackers impersonated support staff to steal user assets [1], underscores the risks associated with centralized data [1], particularly as cryptocurrency adoption increases. The banking associations express concern that ransomware gangs may exploit the strict deadlines imposed by the rule to extort companies and escalate attacks. They maintain that the public disclosure requirement could chill internal communications and conflict with confidential reporting requirements under federal laws, such as the Cyber Incident Reporting for Critical Infrastructure Act [2].
The petition to repeal the rule, submitted on May 22, 2025 [2], specifically calls for the repeal of Item 1.05 of Form 8-K and the equivalent Form 6-K requirement for foreign issuers [2]. The banking groups argue that existing disclosure rules already require the reporting of material cybersecurity risks in a manner that protects investors without compromising security [2]. Instead, they advocate for a more flexible approach to cybersecurity reporting that emphasizes strategic intelligence sharing and robust enforcement [5]. As of now, the SEC has not publicly responded to the petition [2], which could significantly impact cybersecurity disclosure practices amid increasing threats [2].
Conclusion
The ongoing debate over the SEC’s cybersecurity disclosure rule highlights the tension between transparency and security. While the rule aims to protect investors by ensuring timely disclosure of cybersecurity incidents, the banking industry argues that it may inadvertently compromise security efforts and complicate compliance. The outcome of this lobbying effort could shape future cybersecurity reporting practices, balancing the need for public disclosure with the protection of sensitive information. As cyber threats continue to evolve, finding a middle ground that satisfies both regulatory requirements and security concerns will be crucial.
References
[1] https://thecyberwire.com/podcasts/daily-podcast/2319/transcript
[2] https://investors.catenaa.com/news/us-banking-groups-urge-sec-to-revoke-cybersecurity-disclosure-rule-citing-risks
[3] https://www.infosecurity-magazine.com/news/us-banks-sec-repeal-cyber/
[4] https://osintcorp.net/us-banks-urge-sec-to-repeal-cyber-disclosure-rule/
[5] https://www.koreaittimes.com/news/articleView.html?idxno=141866
[6] https://www.thecorporatecounsel.net/blog/2025/05/revisiting-cybersecurity-disclosures-a-petition-for-rulemaking.html
