Five major banking associations have formally petitioned the U.S. Securities and Exchange Commission (SEC) to repeal a rule that mandates public companies to disclose material cybersecurity incidents within four business days.
The organizations argue that the rule, particularly the reporting requirement under Form 6-K for foreign issuers and Form 8-K Item 1.05 for domestic issuers, poses unnecessary risks and fails to serve its intended purpose of investor protection.
The petition, submitted under Rule 192 of the SEC’s Rules of Practice, was jointly signed by the American Bankers Association (ABA), Bank Policy Institute (BPI), Securities Industry and Financial Markets Association (SIFMA), Independent Community Bankers of America (ICBA), and the Institute of International Bankers (IIB).
Together, these organizations represent the vast majority of the U.S. and global financial services sector, including firms that collectively manage trillions in assets and employ millions across the country.
The Case Against the SEC Rule
The SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, which went into effect in 2023, includes controversial disclosure mandates. These requirements oblige companies to publicly announce material cybersecurity breaches within a tight, four-day timeframe—even if the incident is still under investigation or not fully remediated.
“Premature disclosure has harmed registrants and, at the same time, failed to provide the market with meaningful or actionable information upon which to make investment decisions,” the petition asserts. The banking groups further argue that the rule increases confusion in the market. Companies often struggle to decide whether to report under Item 1.05, Item 8.01, or whether to report at all. This confusion has persisted despite multiple SEC-issued Compliance & Disclosure Interpretations, commissioner statements, and comment letters.
The banking groups also highlight that the Form 6-K disclosure requirement for foreign private issuers mirrors the same problems as Form 8-K Item 1.05, adding unnecessary complexity for globally operating institutions.
Real-World Consequences
The petitioners point to tangible impacts already observed since the rule took effect. For example, they cite that registrants have been forced into disclosure before fully understanding the scope or implications of a breach. This, they argue, not only undermines their cybersecurity response efforts but also misleads investors with incomplete information.
One consequence noted is the weaponization of the disclosure rule by threat actors. In 2023, the hacking group AlphV filed an SEC complaint against MeridianLink, alleging it failed to report a data breach as required. Incidents like this suggest that criminals are exploiting the regulatory framework to exert additional pressure during ransomware attacks.
The financial groups warn that such misuse of the rule could expose companies to greater cybersecurity risks, increased insurance liabilities, and greater financial harm due to premature or unclear disclosures.
Conflict with National Security and Law Enforcement
Another key argument is that the rule directly conflicts with other regulatory efforts aimed at national cybersecurity. Mandatory public disclosures may interfere with confidential incident reporting required under other federal programs and hinder law enforcement investigations.
“The complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations,” the petition explains. Furthermore, the public nature of the disclosures may discourage candid internal communications and limit collaboration within companies during incident response efforts.
A Call for a Better Alternative
The petitioners argue that the existing disclosure framework, which already requires the reporting of all material information, including cybersecurity incidents, offers adequate investor protection without the added risks imposed by the current rule.
They emphasize that the SEC’s own staff has had to create a “patchwork” of guidance and comment letters in an attempt to clarify the rule, reflecting the fundamental problems in its design. The banking groups have urged the SEC to fully rescind Form 8-K Item 1.05 and the corresponding Form 6-K requirement.
Conclusion
The petition to rescind the SEC’s cybersecurity incident disclosure rule represents a unified and forceful stance from some of the most influential voices in the financial services industry. Led by the American Bankers Association, which represents a $24.1 trillion industry, along with the Bank Policy Institute, a leader in cybersecurity and risk management advocacy, the coalition also includes SIFMA, representing one million capital markets employees, the Independent Community Bankers of America, which champions the role of community banks, and the Institute of International Bankers, representing U.S. operations of banks from over 35 countries.
Together, these organizations are urging the SEC to reconsider the rapid disclosure mandates under Form 6-K and Form 8-K Item 1.05, citing operational risks, national security concerns, and inadequate investor benefit.
