Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124

Five major US banking groups, led by the American Bankers Association, have petitioned the Securities and Exchange Commission (SEC) to repeal its cybersecurity incident public disclosure requirements. Their May 22 letter argues that the rule, part of the SEC’s Cybersecurity Risk Management rule (July 2023), directly contradicts confidential reporting aimed at protecting critical infrastructure and warning potential victims.
The banking groups contend that the rule’s “complex and narrow disclosure delay mechanism” hinders incident response and law enforcement, creating market confusion between mandatory and voluntary disclosures. They claim public disclosure is being exploited by ransomware criminals for extortion, exacerbating insurance and liability issues for companies and chilling internal communications. Specifically, they target the rescission of “Item 1.05” from Form 8-K reporting requirements. Form 8-K mandates public notification of significant events, including cybersecurity incidents, to investors.
The banking groups believe investor interests would be better served by the existing framework for reporting material information, which may include material cybersecurity incidents, rendering Item 1.05 redundant. Their petition cites instances of confusion among participants, ransomware attacks, and documented regulatory conflicts to support their claim.
This requirement also impacts publicly listed crypto companies. Coinbase, for example, recently disclosed a data breach resulting from bribed support staff, leading to seven lawsuits. Coinbase’s disclosure followed a rejected $20 million ransom demand, with potential damages reaching $400 million. Rescinding the requirement could offer firms like Coinbase more time before publicly disclosing incidents. The petition highlights the belief that the current rule negatively impacts national cybersecurity efforts. The SEC’s response to this petition remains to be seen, with significant implications for the balance between transparency and the security of critical financial infrastructure.