Five major U.S. banking associations have formally petitioned the Securities and Exchange Commission. They are urging the SEC to repeal a specific new rule regarding cyber incidents. This rule mandates public companies disclose material cybersecurity incidents very quickly, within four days. The petition targets the reporting requirement under Form 8-K Item 1.05 for U.S. issuers. It also concerns the corresponding Form 6-K disclosure requirement for all foreign private issuers. The organizations argue the rule poses unnecessary risks and fails to protect investors. Signatories include the American Bankers Association Bank Policy Institute SIFMA ICBA and IIB. These groups represent the vast majority of the U.S. and global financial services sector.
The SEC’s Cybersecurity Risk Management and Incident Disclosure rule became effective in 2023. It includes these controversial mandates for very rapid public disclosure of material breaches. Companies are obliged to publicly announce these breaches within a tight four-day timeframe. This is required even if the incident is still under active investigation or not remediated. The banking groups assert that such premature disclosure has significantly harmed many registrants. It has also failed to provide the market with meaningful or actionable information. The rule increases market confusion as companies struggle with when and how to report. This confusion has persisted despite multiple SEC issued interpretations and various official statements. Form 6-K requirements for foreign issuers mirror these same significant reporting problems.
The petitioners point to tangible negative impacts already observed since the rule took effect.
For instance registrants have been forced into disclosure before fully understanding a breach. This premature disclosure not only undermines their vital cybersecurity response and recovery efforts. It also often misleads investors by providing them with incomplete or unclear information. A serious consequence is the weaponization of this disclosure rule by threat actors. In 2023 the AlphV hacking group filed an SEC complaint against firm MeridianLink. This suggests criminals are now exploiting the regulatory framework to exert additional pressure. The financial groups warn such misuse could expose companies to even greater cybersecurity risks. The rule also directly conflicts with other regulatory efforts aimed at national cybersecurity.
Mandatory public disclosures may interfere with confidential incident reporting and also law enforcement.
The petitioners argue that the existing SEC disclosure framework already offers adequate investor protection. This framework already requires the timely reporting of all material company information. This includes material cybersecurity incidents without the added risks imposed by the current rule. They emphasize the SEC’s own staff created a “patchwork” of guidance for the rule. This reflects fundamental problems that are inherent in its current design and structure. The influential banking groups have therefore urged the SEC to fully rescind these items. This petition represents a very unified and also forceful stance from the industry. They cite serious operational risks national security concerns and also inadequate investor benefit. These organizations are urging the SEC to reconsider its rapid cyber disclosure mandates.
Reference:
