A coalition of major U.S. banking and financial groups is calling on the Securities and Exchange Commission (SEC) to withdraw a regulation that mandates public cybersecurity disclosure rule incidents within four days. In a joint letter sent on May 22, five industry groups, led by the American Bankers Association, argued that the rule conflicts with existing confidential reporting frameworks designed to protect national security and critical infrastructure.
The letter, also signed by the Securities Industry and Financial Markets Association, the Bank Policy Institute, the Independent Community Bankers of America, and the Institute of International Bankers, criticized the SEC’s Cybersecurity Risk Management rule, which was introduced in July 2023. The groups contend that the rule not only hampers effective incident response but also interferes with law enforcement efforts and contributes to market confusion over disclosure requirements.
“Rapid public disclosures risk undermining regulatory coordination and national cybersecurity goals,” the groups stated. They further argued that the rule’s rigid timelines for disclosure, coupled with its limited exceptions, impede efforts to contain breaches and cooperate with authorities.
Concerns Over Market Confusion and Criminal Exploitation
The banking organizations specifically requested the removal of “Item 1.05” from the SEC’s Form 8-K reporting requirements, which covers significant cybersecurity events. They also urged the elimination of similar rules under Form 6-K, which applies to foreign private issuers. These forms are used to inform investors about material developments that may impact company performance or shareholder value.
In their petition, the groups cited real-world examples of how the disclosure requirement has been “weaponized” by cybercriminals. According to the letter, ransomware gangs have exploited public disclosure mandates as leverage, threatening early publication of breaches to extort larger ransoms from targeted companies. The premature release of sensitive details also exposes companies to increased insurance liabilities and legal risks, they claimed.
Additionally, the rule’s structure, which includes a narrow and complex delay mechanism for reporting, may chill internal communications and discourage routine information sharing within organizations. The groups argued that existing reporting frameworks are sufficient for investor protection and would be more effective without the added burden of the new cybersecurity rule.
Cybersecurity Disclosure Rule : Crypto Sector Also Feels the Impact
While the regulation targets public companies across sectors, its effects have also rippled through the cryptocurrency industry. Earlier this month, Coinbase disclosed a significant security breach involving compromised customer support staff. According to the company, hackers bribed employees to leak user data, resulting in a phishing attack that could cost the firm up to $400 million in damages. Following the mandatory cybersecurity disclosure rule , Coinbase was hit with at least seven lawsuits
The financial groups noted that the current rule leaves firms vulnerable to such fallout. They suggested that allowing more flexibility in disclosure timelines could better protect companies from both criminal exploitation and reputational harm.
If the SEC complies with the banking industry’s request, companies like Coinbase and other publicly traded firms may gain more control over when and how to report cybersecurity breaches, potentially changing how incident disclosures are handled across the U.S. financial landscape.
