Associations Petition SEC to Amend Cybersecurity Disclosure Rule
Financial industry trade associations petitioned the SEC to issue a rulemaking rescinding elements of its Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure Rule.
The petition was submitted by the American Bankers Association, Bank Policy Institute, SIFMA, Independent Community Bankers of America and Institute of International Bankers (collectively, "associations"). The groups specifically urged the SEC to rescind Form 8-K Item 1.05 ("Material Cybersecurity Incidents") and the corresponding Form 6-K ("Report of Foreign Private Issuer") disclosure requirements for cybersecurity incidents, arguing that the rule creates confusion, imposes undue burdens and threatens the effectiveness of incident response efforts.
The associations urged the SEC to return to a principles-based disclosure framework that allows companies to evaluate cybersecurity risks under existing materiality standards and use voluntary disclosure mechanisms. They argued that such an approach would still protect investors while reducing operational burdens and improving disclosure quality.
In the petition, the associations asserted that the current disclosure rule requirements—mandating public disclosure of material cybersecurity incidents within four business days—compromise critical infrastructure protections and may interfere with law enforcement investigations. The associations explained that multiple federal agencies rely on confidential cyber incident reporting to coordinate responses, and that the SEC's public reporting mandate undermines those efforts by accelerating disclosure timelines and creating overlap with existing regulatory regimes.
The associations argued that the disclosure rule has already proven harmful in practice: companies have been forced to release incomplete information during active cyber incidents. The associations said the rule's ambiguity has led to inconsistent filings and investor confusion.
The associations noted additional significant legal and financial risks for registrants, including potential exposure to securities litigation based on speculative or evolving incident data. The associations argued that the rule discourages open communication within companies and inhibits valuable information sharing with peers and government agencies.
Further, the associations highlighted the growing use of the current disclosure rule by ransomware attackers to pressure victim companies. They pointed to a November 2023 case in which a ransomware group filed a Complaint with the SEC, against its own victim, alleging failure to disclose a breach. The associations warned that this tactic is becoming more common and gives malicious actors additional leverage to extort victims.