qerranews 
Financial Groups Oppose SEC Mandate
A coalition of major U.S. banking and financial advocacy groups has formally requested the Securities and Exchange Commission (SEC) to repeal a controversial cybersecurity disclosure rule. The regulation requires public companies to disclose significant cybersecurity incidents, including breaches and hacks, within four days of determining the incident is material.
In a letter dated May 22, the American Bankers Association, joined by four other powerful industry groups, expressed deep concern over what they called a “flawed” and “dangerous” rule. Their primary argument is that mandatory public disclosures within such a short timeframe can conflict with national security protocols and law enforcement efforts—especially when it comes to protecting critical financial infrastructure.
Rule Conflicts With Security Protocols
The SEC’s rule, introduced in July 2023, aims to improve transparency and investor awareness in an increasingly digital financial environment. Known as the Cybersecurity Risk Management Rule, it requires disclosures under Item 1.05 of Form 8-K, which is typically used by public companies to notify investors of significant events.
However, banking groups claim this rule undermines more secure and confidential incident reporting systems already in place. For instance, when a cybersecurity breach involves sensitive infrastructure, quick public disclosures can alert cybercriminals to law enforcement awareness or compromise ongoing investigations.
Moreover, the financial groups argue that the rule disrupts incident response processes by creating a rushed timeline. Instead of allowing companies to coordinate with federal agencies or respond internally, they must first determine if the incident is material—then disclose it to the public just days later.
Public Risk and Ransom Concerns
One of the most troubling implications, according to these banking bodies, is how ransomware groups exploit the rule. The petition highlights that malicious actors have started to weaponize the disclosure requirement—threatening to release stolen data or escalate attacks unless companies agree to pay ransoms before the four-day window forces public exposure.
This tactic not only increases the psychological and financial pressure on victims but also introduces greater insurance liability, potential investor sec lawsuits, and reputational damage for the companies involved.
In addition, mandatory early disclosure can stifle open internal communication during a breach response. Employees and executives may be hesitant to speak freely if they fear internal emails and assessments will become part of public records almost immediately.
Crypto Firms Hit Harder
While traditional banks are voicing concerns, public crypto firms may be even more exposed under the current rule. Coinbase, the largest U.S.-based crypto exchange, recently reported a major cyberattack where hackers bribed support staff to gain access to user data.
After the attack became public, Coinbase faced at least seven lawsuits and a potential $400 million in financial liability. The company also revealed it had refused a $20 million ransom demand—raising questions about how forced disclosures can influence the dynamics between companies and cybercriminals.
Banking and crypto advocacy groups now argue that companies should be allowed more flexibility and time to respond to threats without triggering immediate public scrutiny, legal risks, or market panic.
A Call to Rescind Item 1.05
The joint petition focuses on the removal of Item 1.05 from the SEC’s Form 8-K and equivalent reporting under Form 6-K, which applies to foreign companies listed in the U.S. The groups believe that companies were already subject to adequate disclosure requirements through broader material risk reporting rules—making the new cyber-specific rule redundant and risky.
According to the petitioners, eliminating Item 1.05 wouldn’t harm investors. Instead, it would allow companies to continue providing necessary information about cyber threats through safer, context-sensitive frameworks without endangering public trust or national cybersecurity.
They further cite examples of real-world confusion created by the rule since it took effect, including incidents where it was unclear whether disclosures were required or advisable—resulting in inconsistent reporting across industries.
Final Thoughts
As cyber threats continue to evolve in complexity and scale, balancing transparency with security becomes more challenging. The banking lobby’s challenge to the SEC’s disclosure rule opens a critical dialogue: how can companies responsibly report cyberattacks without tipping off hackers or jeopardizing national interests?
With high-profile cases like Coinbase illustrating the risks of early disclosure, regulators may soon be forced to revisit the rule—and possibly revise or rescind it altogether.