• Cybersecurity

Banking Groups Push Back on SEC’s Cyberattack Disclosure Rule

Major U.S. banking associations have asked the SEC to drop a rule requiring public disclosure of significant cybersecurity incidents within four days. They argue it conflicts with law enforcement efforts and could aid cybercriminals. PHOTO: Postmodern Studio - stock.adobe.com

Top U.S. banking associations are pressing the Securities and Exchange Commission to roll back a rule that forces public companies to disclose major cybersecurity breaches within four business days.

In a letter sent May 22, five major financial groups—including the American Bankers Association and the Securities Industry and Financial Markets Association—argued the rule clashes with existing laws aimed at protecting critical infrastructure and victims’ privacy.

At the center of the dispute is Item 1.05 of Form 8-K, a regulation rolled out in July 2023 under the SEC’s broader Cybersecurity Risk Management rules. It requires companies to publicly reveal “material” cyber incidents, like hacks or data breaches, on a strict deadline.

The banking industry says that’s a problem. According to the letter, the rule can disrupt how firms respond to attacks, interfere with law enforcement, and blur the lines between what must be shared publicly and what’s optional.

One key concern: threat actors may be using these public disclosures to pressure companies during ransomware attacks. The groups say that puts victims in an even tougher spot and could drive up insurance costs or legal risks.

There’s also a worry that the rule could have a chilling effect internally. If every incident might go public fast, employees could hesitate to flag problems or share sensitive details that are critical to stopping a breach.

Instead of public disclosures, the associations want the SEC to scrap the rule and stick with current frameworks that let companies alert investors without tipping off attackers or exposing vulnerabilities.

Their argument echoes growing pushback against overlapping federal cybersecurity rules. For example, the Cybersecurity and Infrastructure Security Agency is developing new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). That proposal would give companies 72 hours to report major incidents—another tight window critics say could swamp firms with paperwork during a crisis.

The financial sector isn’t arguing against transparency. But it’s calling for more realistic timelines and coordination between regulators to avoid chaos when every second counts.

Share the Post:
Picture of Juan Oliveros

Juan Oliveros

Originally from Guadalajara, Jalisco, I grew up in the vibrant chile capital of Hatch, NM. I pursued my academic journey at the University of New Mexico, where I earned a bachelor's degree in Business & Administration with a concentration in Marketing and later an MBA with a focus in Data Analytics. Throughout my career, I have always prioritized working with nonprofit organizations, leveraging my expertise to help drive meaningful change.

Related Posts

Get Updates And Stay Connected -Subscribe To Our Newsletter

Contact Information

  • Phone: +1(505) 761-2390
  • mail: info@brant.one
  • Address: 7400 Tiburon St NE, Albuquerque, NM 87109

LATEST NEWS