Banking Industry Calls on SEC to Scrap Cybersecurity Disclosure Rule

A group of major U.S. banks is asking the Securities and Exchange Commission (SEC) to withdraw public disclosure of cybersecurity incidents, a key rule part of the regulations system. The formal petition was submitted on May 22 by these organizations, claiming that the regulation could encourage cybercriminal activity and harm national security efforts.

Led by the American Bankers Association, the petition is supported by the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America, and the Institute of International Bankers. The petition targets “Item 1.05” of the SEC’s cybersecurity rule implemented in July 2023.

Important Reads: Major U.S. Banks Explore Joint Crypto Stablecoin Amid Growing Demand

What is the Cybersecurity Disclosure Rule?

The Cybersecurity Disclosure Rule urges all public companies to disclose major cybersecurity breaches such as data hacks or phishing attacks. They must do so promptly via Form 8-K or Form 6-K. However, the banking groups argue that these disclosures conflict with confidential reporting obligations aimed at protecting critical infrastructure and informing potential victims without public exposure.

“This requirement creates regulatory confusion and complicates incident response efforts by law enforcement,” the petition states. The groups also highlight how threat actors have begun exploiting public disclosure rules, using them as leverage in ransomware attacks to increase pressure on victims. According to these companies, such premature disclosures can amplify liability, disrupt insurance processes, and discourage open internal communication within companies responding to cyber threats.

Critically, the group establishes that investor protection would not be diminished if the rule were removed. “Without Item 1.05, investor interests will still be protected through the existing material disclosure framework,” the letter reads, referencing the longstanding practice of reporting material events that affect shareholders.

The petition includes real-world examples of confusion caused by the current disclosure process, including documented instances of ransomware attacks and clashes with other regulatory obligations.

The rule has also had implications beyond the banking sector. Publicly listed cryptocurrency firms, such as Coinbase, have already felt its impact. Earlier this month, Coinbase revealed a significant breach in which hackers bribed support staff to gain access to user data. The company, which refused a $20 million ransom, now faces up to $400 million in potential damages and is embroiled in at least seven lawsuits stemming from its public disclosure. Industry advocates believe repealing the rule could provide companies more time and flexibility to manage cybersecurity crises without jeopardizing investor trust or national security priorities. The SEC has yet to formally respond to the petition.