A coalition of major U.S. banking organizations is urging the Securities and Exchange Commission (SEC) to scrap a controversial rule that requires public companies to disclose cybersecurity breaches within four days. The demand highlights growing tensions between regulatory transparency and national security concerns, particularly as cyberattacks grow more frequent and complex.
In a formal letter dated May 22, five influential banking groups, including the American Bankers Association, called on the SEC to rescind the public disclosure mandate introduced in its 2023 Cybersecurity Risk Management rule. Other signatories include the Bank Policy Institute, the Securities Industry and Financial Markets Association (SIFMA), the Institute of International Bankers, and the Independent Community Bankers of America.
Their primary concern? That the rule’s requirement to disclose cyber incidents publicly within a narrow timeframe could unintentionally harm national cybersecurity efforts and even embolden cybercriminals.
According to the letter, the groups argue that this rule “directly conflicts with confidential reporting frameworks” that are currently in place to protect critical infrastructure and inform potential victims discreetly. In particular, they take issue with “Item 1.05” in Form 8-K — a component of the SEC’s disclosure forms that mandates swift public notification when a company experiences a material cybersecurity incident.
The groups emphasize that this requirement disrupts effective coordination with law enforcement and interferes with an organization’s ability to fully understand and contain a cyber threat before going public. “The rule, as it stands, creates unnecessary complexity and injects confusion between what’s legally required and what’s voluntarily disclosed,” they stated, citing specific instances where this has undermined response efforts.
Adding to their concerns, the letter points out that hackers — particularly ransomware operators — have started to exploit public disclosure mandates as part of their extortion strategies. “Threat actors are now using the risk of premature disclosure as leverage,” the groups noted. “This amplifies the pressure on victimized companies and may lead to rushed and incomplete reporting, which in turn exacerbates legal and financial liabilities.”
They also claim the rule has the unintended consequence of chilling internal communication, as companies become hesitant to share sensitive information openly for fear it might be forced into public view prematurely.
Despite their pushback, the groups insist they are not opposed to cybersecurity transparency. Instead, they advocate returning to the SEC’s preexisting disclosure framework, which already required companies to report material information, including cyber incidents, as part of their standard public filings. “Investor interests can still be fully protected under the original framework,” the letter argues.
Publicly traded crypto firms are particularly exposed under the current rule. For example, earlier this month, Coinbase was thrust into the spotlight after disclosing that a hacker had bribed a support employee and accessed user data. The disclosure led to at least seven lawsuits against the exchange, highlighting the potential legal fallout from timely transparency.
Coinbase also revealed that it rejected a $20 million ransom demand after the data leak and warned that the incident could cost the company up to $400 million. This case has become a prime example for critics of the SEC’s rule, who argue that the forced disclosure may do more harm than good in such complex, high-stakes scenarios.
If the SEC bows to industry pressure and rescinds Item 1.05, companies like Coinbase and other public firms might be afforded greater discretion — and more time — when deciding how and when to disclose cyberattacks. Whether that leads to better outcomes for investors and the public remains a contentious issue.
As cyber threats continue to escalate across all sectors, the SEC now finds itself at the crossroads of enforcing transparency while preserving operational security. The question is whether the agency will hold firm — or revisit a rule that’s fast becoming one of the most divisive in recent memory.
