Dorapepe

BANKING GROUPS ASK SEC TO DROP CYBERSECURITY INCIDENT DISCLOSURE RULE

Last updated: June 20, 2025, 00:14 | Written by: Barry Silbert

Banking Groups Ask Sec To Drop Cybersecurity Incident Disclosure Rule
Banking Groups Ask Sec To Drop Cybersecurity Incident Disclosure Rule

The digital landscape is a battlefield, and financial institutions are constantly under siege from cyberattacks. Banking groups ask SEC to drop cybersecurity incident disclosure rule American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements.Protecting sensitive data and maintaining the integrity of the financial system is paramount. News Summary: American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements. nbsp;Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents ldquo;directly conflictsHowever, a recent showdown between major banking groups and the Securities and Exchange Commission (SEC) has brought a controversial cybersecurity rule into the spotlight.A powerful coalition of banking industry groups, spearheaded by the American Bankers Association (ABA), is urging the SEC to rescind its mandate requiring public companies to disclose material cybersecurity breaches within a mere four days of determining their materiality. A collection of banking trade groups sent a letter to the SEC late last week, asking it to rescind the rules requiring publicly traded companies to disclose material cybersecurity incidents in a Form 8-K filing within four days of the company deciding an incident is indeed material.This rule, born out of the Biden administration's efforts to bolster cybersecurity, has ignited a firestorm of debate, with banking groups arguing that it undermines national security, compromises their ability to respond effectively to attacks, and ultimately, harms the very investors it's intended to protect. American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements. /p p Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents 8220;directly conflicts withThe core of the dispute lies in the potential conflict between swift public disclosure and the need to maintain confidentiality during active investigations and remediation efforts.

Is the SEC's rule a necessary step towards greater transparency and accountability, or is it a misguided regulation that could inadvertently worsen the cybersecurity risks faced by the financial sector? AMPUSD Amp Banking groups ask SEC to drop cybersecurity incident disclosure rule American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements.This article delves into the heart of the controversy, examining the arguments from both sides, exploring the potential consequences of the rule, and considering alternative approaches to safeguarding the financial system in the digital age.

The SEC's Cybersecurity Incident Disclosure Rule: An Overview

The SEC's rule, formally known as the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule, was adopted with the aim of providing investors with timely and accurate information about material cybersecurity incidents affecting public companies. The rule, which was adopted last year, requires businesses to publicly disclose a data breach or other cyber incident within four business days of determining whether the incident is material, unless the Justice Department determines that the disclosure would threaten national security or public safety.It mandates that companies disclose material cyber incidents within four business days of determining that the incident is, in fact, material.This disclosure is typically made through Form 8-K, a document used to publicly notify investors of significant events that may be important to shareholders or the SEC.For foreign private issuers, similar reporting requirements are placed via Form 6-K.

Key Components of the Rule

  • Four-Day Disclosure Window: Companies must disclose material cybersecurity incidents within four business days after determining the incident is material.
  • Form 8-K Reporting (Item 1.05): This specific item on Form 8-K is dedicated to reporting cybersecurity incidents.
  • Materiality Determination: Companies must have processes in place to determine the materiality of a cybersecurity incident.
  • Form 6-K Reporting: Parallel reporting requirements apply to foreign private issuers through Form 6-K.

The rationale behind the rule is to enhance transparency and provide investors with critical information to make informed investment decisions.The SEC believes that timely disclosure of material cyber incidents will allow investors to assess the potential impact of these incidents on a company's financial performance and reputation.

Why Banking Groups are Challenging the Rule

The banking industry's opposition to the SEC's cybersecurity incident disclosure rule is multifaceted. American banking and monetary market advocacy groups have actually petitioned the Securities and Exchange Commission to rescind its cybersecurity occurrence public disclosure requirements. 5 United States banking groups led by the American Bankers Association asked the regulator to eliminate its guideline in a Might 22 letter, arguing thatTheir concerns center on the potential for the rule to compromise national security, increase the risk of follow-on attacks, and create unnecessary burdens on financial institutions.

Concerns About National Security

One of the primary arguments against the rule is that it could undermine national security efforts. After trying to lobby against the adoption of the new rule in 2025 and requesting a 12-month extension of the compliance dates for data protection and cybersecurity amendments in an April 2025 letter to the SEC, they now ask the SEC to repeal the rule or at least remove Item 1.05 of Form 8-K and the corresponding amendment in Form 6-K.Banking groups contend that disclosing details of a cybersecurity incident, even in a seemingly sanitized form, could provide valuable intelligence to malicious actors, including state-sponsored hackers and cybercriminals.This information could be used to refine their attack strategies, exploit vulnerabilities in other systems, and ultimately, inflict greater damage on the financial system and the broader economy.Banks argue that mandatory reporting requirements directly conflict with confidential, ongoing investigations with law enforcement and intelligence agencies.

Increased Risk of Follow-On Attacks

Another major concern is that disclosing a cybersecurity incident could make a company a more attractive target for follow-on attacks. A coalition of banking industry groups has asked the Securities and Exchange Commission to rescind a controversial Biden-era cybersecurity breach notification rule. At issue is the SEC s rule mandating that public companies disclose material breaches within four days of a materiality determination.Once a company acknowledges that it has been breached, it signals to other hackers that the company may have weaknesses in its defenses. American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements. Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents directly conflicts with confidentialThis could lead to a barrage of new attacks, potentially overwhelming the company's resources and further compromising its systems. XY Finance, a veteran in cross-chain infrastructure, officially introduced the launch of SuperIntent, the world s first Omnichain AI Crypto Super App. Designed to simplify the complexities of DeFi, SuperIntent combines intelligent DeFi portfolio allocation, seamless cross-chain operability and deep personalization to deliver smarter investing with less effort and more upside.The public disclosure can also highlight specific vulnerabilities that were exploited, giving other malicious actors a roadmap for future attacks on similar systems.

Burdensome Compliance Requirements

Banking groups also argue that the rule imposes significant compliance burdens on financial institutions. Banking groups ask SEC to drop cybersecurity incident disclosure rule American banking and financial industry advocDetermining the materiality of a cybersecurity incident within four days can be a complex and time-consuming process, especially in the midst of an active attack.Companies may need to divert resources from incident response and remediation efforts to focus on meeting the disclosure deadline. Banking groups ask SEC to drop cybersecurity incident disclosure rule; Coinbase faces another data breach lawsuit claiming stock drop damages; Blockchain security firm releases Cetus hack post-mortem report; Cardone Capital launches 10X Miami River Bitcoin Fund; Bitcoin price expected to soar as global bond markets break Here s whyThis could ultimately delay the recovery process and increase the overall damage caused by the attack.

Furthermore, the definition of ""materiality"" itself is subjective and open to interpretation, potentially leading to inconsistencies in reporting and creating uncertainty for companies trying to comply with the rule. The groups specifically want Item 1.05 to be rescinded from the SEC s rules for Form 8-K reporting and parallel reporting requirements applicable to Form 6-K. Form 8-K is used to publicly notify investors in US public companies of specified events, including cybersecurity incidents, that may be important to shareholders or the SEC. TheSmaller institutions, in particular, may struggle to meet the compliance requirements due to limited resources and expertise.

Conflict with Existing Regulatory Frameworks

Financial institutions are already subject to a complex web of cybersecurity regulations from various agencies, including the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC), and state regulators. ICBA and other groups called for the Securities and Exchange Commission to rescind its cyber incident disclosure rule. Details: In a petition to the SEC, the groups said the rule puts companies that fall victim to cyberattacks at greater risk and undermines the SEC s primary goal of protecting investors. Key Concerns: The groups said the rule:Banking groups argue that the SEC's rule adds another layer of complexity and could create conflicts with existing reporting requirements. Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents directly conflicts withThis could lead to confusion and inefficiencies, making it more difficult for companies to effectively manage their cybersecurity risks.

Specific Objections to Form 8-K Item 1.05

The banking groups' petition specifically targets Item 1.05 of Form 8-K, the section dedicated to reporting cybersecurity incidents. Five major banking industry groups have formally requested the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident disclosure rule, arguing the regulation undermines national security efforts and creates more problems than it solves. The American Bankers Association led the coalition in a May 22 letter that challengesThey argue that this specific requirement is particularly problematic for several reasons:

  • Premature Disclosure: The four-day disclosure window may force companies to disclose information before they have a complete understanding of the incident, its scope, and its potential impact. The SEC adopted its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule on J. This rule requires public companies to disclose material cyber incidents within four business days, adding to an already complex list of reporting and disclosure obligations that financial institutions and other criticalThis could lead to inaccurate or misleading disclosures, which could harm investors.
  • Detailed Information: The rule may require companies to disclose sensitive technical details about the incident, such as the vulnerabilities that were exploited and the methods used by the attackers.This information could be used by other hackers to launch similar attacks on other companies.
  • Competitive Disadvantage: Disclosing a cybersecurity incident could damage a company's reputation and give competitors an advantage.Customers may lose confidence in the company's ability to protect their data, leading to a decline in business.

The SEC's Defense of the Rule

The SEC defends its cybersecurity incident disclosure rule by arguing that it is essential for protecting investors and promoting market integrity.The agency believes that timely and accurate information about material cybersecurity incidents is crucial for investors to make informed investment decisions.

Investor Protection

The SEC argues that investors have a right to know about material cybersecurity incidents that could affect a company's financial performance and reputation. The banking groups have urged the SEC to fully rescind Form 8-K Item 1.05 and the corresponding Form 6-K requirement. Conclusion The petition to rescind the SEC s cybersecurity incident disclosure rule represents a unified and forceful stance from some of the most influential voices in the financial services industry.Cyberattacks can have significant financial consequences, including direct costs for remediation, legal fees, regulatory fines, and lost revenue.They can also damage a company's brand and erode customer trust.

By requiring companies to disclose these incidents, the SEC aims to provide investors with the information they need to assess the potential risks and rewards of investing in a particular company.

Market Integrity

The SEC also believes that the rule is necessary to maintain market integrity.When companies conceal material cybersecurity incidents, it can create an uneven playing field, giving some investors an unfair advantage over others. The group, which also included the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America and the Institute of International Bankers, claimed that the rule compromises regulatory efforts to enhance national cybersecurity. The SEC s Cybersecurity Risk Management ruleThis can erode trust in the markets and undermine investor confidence.

By ensuring that all investors have access to the same information, the SEC aims to promote fairness and transparency in the markets.

Flexibility and Guidance

The SEC argues that the rule provides companies with sufficient flexibility to determine the materiality of a cybersecurity incident.The agency has issued guidance to help companies assess materiality, taking into account factors such as the potential financial impact of the incident, the reputational damage, and the legal and regulatory consequences.

The SEC also emphasizes that the rule does not require companies to disclose sensitive technical details that could compromise national security or increase the risk of follow-on attacks. American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements. Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letteCompanies can tailor their disclosures to provide investors with the information they need without revealing information that could be harmful.

Alternative Approaches to Cybersecurity Regulation

While the debate over the SEC's cybersecurity incident disclosure rule continues, it's important to consider alternative approaches to regulating cybersecurity in the financial sector.There are several options that could potentially strike a better balance between transparency, security, and compliance burden.

Enhanced Information Sharing

One alternative is to focus on enhancing information sharing between financial institutions and government agencies.This could involve creating a centralized platform for sharing threat intelligence, best practices, and incident reports.By sharing information in a secure and confidential manner, financial institutions can improve their ability to detect and respond to cyberattacks without compromising national security.

Risk-Based Regulation

Another approach is to adopt a risk-based regulatory framework that focuses on the most critical assets and vulnerabilities.This would involve requiring financial institutions to conduct regular risk assessments and implement appropriate security controls to protect their most sensitive data and systems.The level of regulatory scrutiny would be proportionate to the risk posed by the institution's activities and the potential impact of a cyberattack.

Cybersecurity Standards and Best Practices

A third alternative is to develop industry-wide cybersecurity standards and best practices.This could involve creating a set of common security controls that all financial institutions would be required to implement.The standards could be developed by a consortium of industry experts, government agencies, and academic researchers.

Potential Consequences of Rescinding the Rule

If the SEC were to rescind its cybersecurity incident disclosure rule, it could have several potential consequences:

  • Reduced Transparency: Investors would have less information about material cybersecurity incidents affecting public companies, potentially making it more difficult to assess the risks and rewards of investing in those companies.
  • Erosion of Investor Confidence: The lack of transparency could erode investor confidence in the markets, leading to a decline in investment activity.
  • Increased Vulnerability: Without the pressure of public disclosure, companies may be less incentivized to invest in cybersecurity and implement robust security controls.This could increase their vulnerability to cyberattacks.

Potential Consequences of Maintaining the Rule

Conversely, maintaining the rule, even with potential modifications, also carries consequences:

  • Compromised Security: As argued by the banking groups, public disclosure could provide valuable information to malicious actors, potentially increasing the risk of follow-on attacks.
  • Increased Compliance Costs: The rule imposes significant compliance burdens on financial institutions, potentially diverting resources from incident response and remediation efforts.
  • Chilling Effect on Disclosure: Companies may be hesitant to disclose cybersecurity incidents, even if they are material, for fear of reputational damage or legal repercussions.

The Importance of a Balanced Approach

Ultimately, the key to regulating cybersecurity in the financial sector is to strike a balance between transparency, security, and compliance burden.The SEC's cybersecurity incident disclosure rule represents one approach, but it is not without its flaws.By considering alternative approaches and carefully weighing the potential consequences of each option, policymakers can develop a regulatory framework that effectively protects the financial system from cyber threats while minimizing the unintended consequences of regulation.

Conclusion: Finding the Right Path Forward

The debate surrounding the SEC's cybersecurity incident disclosure rule highlights the complex challenges of regulating cybersecurity in the financial sector.While the SEC aims to protect investors and promote market integrity through transparency, banking groups argue that the rule undermines national security and creates unnecessary burdens.The push by banking groups asking SEC to drop cybersecurity incident disclosure rule represents a significant challenge to the SEC’s agenda.A balanced approach is needed, one that enhances information sharing, focuses on risk-based regulation, and promotes industry-wide cybersecurity standards.Rescinding the rule entirely could reduce transparency and erode investor confidence, while maintaining it in its current form could compromise security and increase compliance costs.Therefore, further dialogue and collaboration between regulators, industry stakeholders, and cybersecurity experts are essential to crafting a regulatory framework that effectively protects the financial system from cyber threats without creating undue burdens or unintended consequences.This situation is complex, but collaboration can achieve the best outcome.It remains to be seen how the SEC will respond to this forceful petition from the financial services industry, but the outcome will undoubtedly shape the future of cybersecurity regulation for years to come.The rule's future, and the balance between transparency and security, hangs in the balance.

Barry Silbert can be reached at [email protected].

Articles tagged with "SEC Approves First Leveraged Bitcoin Futures ETF" (0 found)

No articles found with this tag.

← Back to article

Related Tags

www.cfodive.com › news › banking-groups-urge-secBanking groups urge SEC to rescind Biden-era cybersecurity rule thecyberexpress.com › banks-urge-sec-to-end-cyberBanking Groups Urge SEC To End Cyber Disclosure Mandate cointelegraph.com › news › banking-groups-tell-secBanking groups ask SEC to drop cybersecurity incident www.infosecurity-magazine.com › news › us-banks-secUS Banks Urge SEC to Repeal Cyber Disclosure Rule bpi.com › financial-trades-urge-sec-to-rescindFinancial Trades Urge SEC to Rescind Cyber Rule That www.grip.globalrelay.com › banking-groups-ask-secBanking groups ask SEC to nix the cybersecurity incident bankingjournal.aba.com › 2025 › 05ABA, associations urge SEC to rescind cyber disclosure rule newsio.com › › banking-groups-ask-sec-toBanking groups ask SEC to drop cybersecurity incident yellow.com › news › banking-groups-ask-sec-to-dropBanking Groups Ask SEC to Drop Cybersecurity Disclosure Rule thenyledger.com › markets › cryptoBanking groups ask SEC to drop cybersecurity incident www.coinlive.com › news-flash › Banking groups ask SEC to drop cybersecurity incident www.msn.com › en-us › moneyBanking groups ask SEC to drop cybersecurity incident - MSN www.radicalcompliance.com › › banks-askBanks Ask SEC to Scale Back Cyber Rule - Radical Compliance ground.news › article › financial-groups-urge-sec-toBanking Groups Ask SEC to Drop Cybersecurity Incident www.newstartgsb.com › knowledge › New Start GSB: Unlock Your Financial Potential www.icba.org › newsroom › newswatch-todayICBA, others push SEC to rescind cyber incident rule supercoininsider.com › › banking-groupsBanking groups ask SEC to drop cybersecurity incident blockchaintimes.news › › banking-groupsBanking groups ask SEC to drop cybersecurity incident defiadda.com › crypto-news › Banking groups ask SEC to drop cybersecurity incident beamstart.com › news › banking-groups-ask-sec-toBanking groups ask SEC to drop cybersecurity incident

Comments