Five major financial organizations formally urged the Securities and Exchange Commission (SEC) to reconsider a contested cybersecurity rule. The American Bankers Association, Bank Policy Institute, SIFMA, Independent Community Bankers of America, and Institute of International Bankers jointly submitted the request under Rule 192.
Such organizations had grave concerns regarding the SEC’s requirement of mandatory cybersecurity disclosures, specifically Item 1.05 of Form 8-K and Item 6-K. These mandates oblige firms to quickly disclose material cyber events, even when these events are still under investigation and not resolved.
Industry representatives cautioned these disclosure requirements hurt the banking industry while providing little value to the marketplace or to investors. They contend the requirements pose unnecessary public risk and expose the entities to hacking and blackmail by cyber criminals.
Since the rule went into effect 18 months ago, institutions have had to release incidents pre-emptively while investigations are ongoing. This pre-emption interferes with incident response, inhibits law enforcement, and exposes sensitive information to malicious entities.
SEC Disclosure Rule Faces Growing Backlash
The petitioners emphasized that rushed disclosures increase confusion within markets and add legal and operational burdens for registrants. Many firms reported uncertainty over how and when to file, despite repeated SEC guidance attempts through letters and public statements.
Threat actors have taken advantage of these reporting rules by compelling businesses to publish disclosures of breaches or risk further threats. These strategies reflect the ways the rule has inadvertently emboldened cybercriminals and put businesses at risk.
Besides, the disclosures made at an early stage may cause insurance complexities, investor anxiety, or economic instability. These results are contrary to the SEC’s primary mission of investor protection and market stability, the petitioners aver.
The groups state current disclosure frameworks already mandate the reporting of material events—such as cyberattacks—in a proper and considered manner. They maintain the elimination of Item 1.05 would continue to protect investors while avoiding unnecessary exposure and regulatory uncertainty.
The petition will now undergo SEC scrutiny amid escalating demands for a balanced, realistic approach to cybersecurity disclosures.
