Top U.S. banking associations are pressing the Securities and Exchange Commission to roll back a rule that forces public companies to disclose major cybersecurity breaches within four business days.
In a letter sent May 22, five major financial groups—including the American Bankers Association and the Securities Industry and Financial Markets Association—argued the rule clashes with existing laws aimed at protecting critical infrastructure and victims’ privacy.
At the center of the dispute is Item 1.05 of Form 8-K, a regulation rolled out in July 2023 under the SEC’s broader Cybersecurity Risk Management rules. It requires companies to publicly reveal “material” cyber incidents, like hacks or data breaches, on a strict deadline.
The banking industry says that’s a problem. According to the letter, the rule can disrupt how firms respond to attacks, interfere with law enforcement, and blur the lines between what must be shared publicly and what’s optional.
One key concern: threat actors may be using these public disclosures to pressure companies during ransomware attacks. The groups say that puts victims in an even tougher spot and could drive up insurance costs or legal risks.
There’s also a worry that the rule could have a chilling effect internally. If every incident might go public fast, employees could hesitate to flag problems or share sensitive details that are critical to stopping a breach.
Instead of public disclosures, the associations want the SEC to scrap the rule and stick with current frameworks that let companies alert investors without tipping off attackers or exposing vulnerabilities.
Their argument echoes growing pushback against overlapping federal cybersecurity rules. For example, the Cybersecurity and Infrastructure Security Agency is developing new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). That proposal would give companies 72 hours to report major incidents—another tight window critics say could swamp firms with paperwork during a crisis.
The financial sector isn’t arguing against transparency. But it’s calling for more realistic timelines and coordination between regulators to avoid chaos when every second counts.