U.S. Banking Groups Urge SEC to Scrap Cyber Disclosure Rule, Citing National Security Risks

On January 31, 2024, leading U.S. banking trade groups, including the American Bankers Association (ABA), the Bank Policy Institute (BPI), and the Securities Industry and Financial Markets Association (SIFMA), sent a formal petition to the U.S. Securities and Exchange Commission (SEC) requesting that it withdraws a controversial cybersecurity incident disclosure rule.

The petition , submitted on May 22, 2025, calls for the rescission of Item 1.05 in Form 8-K and the corresponding Form 6-K requirement for foreign private issuers, which mandate the disclosure of material cybersecurity incidents within four business days of determining their significance, citing deep concerns over national security, investor harm, and operational disruption.

The groups argue that these requirements have proven burdensome, confusing, and counterproductive to cybersecurity and investor protection.

“Premature disclosure of material cyber events has jeopardized incident containment, interfered with law enforcement coordination, and triggered market and legal chaos,” the petition states.

U.S. Banking Groups Warn SEC Cyber Disclosure Rule Aids Hackers

The SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, adopted in July 2023, was intended to enhance transparency and standardize how public companies communicate cybersecurity threats to investors.

But critics say it is achieving the opposite. The petition emphasizes that registrants are forced to report incidents even when they remain ongoing, investigations are incomplete, and systems have not been fully remediated, thus potentially handing attackers an advantage.

The rule has led to significant confusion over how and when companies should disclose incidents. Despite the SEC’s attempts to clarify through Compliance & Disclosure Interpretations, comment letters, and commissioner guidance, registrants are still struggling to determine whether to report under Item 1.05 and Item 8.01.

Source: SIFMA

According to the trade groups, this uncertainty has made the rule ineffective and legally risky, exposing firms to litigation and reputational harm while failing to generate actionable information for investors.

Notably, the groups warned that ransomware gangs and other cybercriminals have started weaponizing the SEC’s disclosure timeline, using the threat of public exposure as leverage to extort victims.

“The incident disclosure requirement has been exploited by ransomware criminals to further malicious objectives,” the petition notes, adding that it may even increase the likelihood of follow-up attacks once firms are known to be vulnerable.

The petition’s core is a warning that the SEC’s disclosure rule undermines federal cybersecurity strategy.

The groups further argue that releasing details of material cyber incidents into the public domain too early may conflict with confidential reporting requirements under laws like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

Investors Better Served by Existing Disclosure Frameworks

Despite the SEC’s intent to enhance investor protection, the petition insists that the current cyber incident disclosure rule fails to provide “decision-useful” information to the market.

Instead, it risks creating misleading narratives based on incomplete facts while harming the institutions it seeks to regulate.

The banking groups argue that existing disclosure obligations such as Regulation S-K Item 105 and the pre-existing materiality framework already compel companies to report significant risks, including cybersecurity threats, in a way that preserves investor interests without compromising national security or company resilience.

They assert that investors will still be protected without Item 1.05.

“We believe they would be better served through the pre-existing disclosure framework for reporting material information—which may include material cybersecurity incidents—while better mitigating the concerns raised above,” the letter concludes.

The SEC has yet to respond to the May 22 petition publicly.As the SEC weighs its next move, the outcome could reshape how U.S. companies balance transparency with cybersecurity resilience in an increasingly hostile ecosystem.