Catenaa, Thursday, May 29, 2025- Major US banking trade organizations have formally petitioned the Securities and Exchange Commission to repeal its cybersecurity incident disclosure rule.
The groups include the American Bankers Association, Bank Policy Institute and Securities Industry and Financial Markets Association.1
The groups argue the mandate poses serious national security risks and operational challenges.
The full petition can be seen here.
The petition, submitted May 22, calls for scrapping Item 1.05 of Form 8-K and the equivalent Form 6-K requirement for foreign issuers, which obligates companies to publicly disclose material cybersecurity incidents within four business days of identifying their significance.
The banking groups say this timeline is impractical and compromises incident containment and law enforcement efforts.
Premature disclosure of material cyber events jeopardize incident containment, interfere with law enforcement coordination, and trigger market and legal chaos, the petition states.
Adopted in July 2023, the SEC’s rule aimed to improve transparency around cyber threats for investors.
However, critics say it has backfired by forcing disclosures during ongoing investigations, potentially giving attackers an advantage. Confusion persists over when and how to disclose incidents despite the SEC’s clarifications.
The petition highlights how ransomware gangs exploit the rule’s strict deadlines to extort companies and escalate attacks. It also warns the rule may conflict with confidential reporting requirements under federal laws like the Cyber Incident Reporting for Critical Infrastructure Act.
The banking groups contend existing disclosure rules already require reporting material cybersecurity risks in a way that protects investors without compromising security. They urge the SEC to rely on these frameworks instead.
The SEC has not publicly responded. The petition’s outcome could reshape cybersecurity disclosure practices amid growing threats.
- https://www.bloomberg.com/news/articles/2025-04-14/jpmorgan-bny-limit-information-sharing-with-occ-after-hack[↩]
