Major banking industry groups are urging the U.S. Securities and Exchange Commission (SEC) to reconsider its cybersecurity incident disclosure rule, which mandates that public companies report material breaches within four business days.
The rule, enacted in December 2023, aims to increase transparency for investors and regulators—but banks argue it creates new risks.
The formal request to withdraw or amend the rule was submitted this week by organizations such as the American Bankers Association (ABA), Bank Policy Institute (BPI), and the Securities Industry and Financial Markets Association (SIFMA).
Why Banking Groups Oppose the Rule
The groups argue that the rule, while well-intentioned, may jeopardize national security and financial stability. By requiring quick disclosure of cyberattacks—even before systems are fully assessed or secured—hackers could exploit known vulnerabilities or coordinate further attacks.
“Premature disclosure could provide a roadmap to adversaries,” said BPI in its joint letter to the SEC.
“It may also panic markets without giving companies the time to evaluate or contain threats.”
Additionally, the letter highlights the overlap with existing financial regulations. Banks are already required to report cyber incidents to federal banking regulators and law enforcement agencies, often in real time.
SEC’s Rationale: Investor Protection and Market Trust
The SEC, led by Chair Gary Gensler, implemented the rule to improve transparency and investor protection. The agency believes that material cyber events—like data breaches, ransomware attacks, or compromised systems—can significantly impact a company’s financial performance and stock price.
“Cybersecurity is a business risk, not just an IT issue,” Gensler has previously stated. “Investors deserve to know about major events affecting a company’s operations.”
The rule also seeks to standardize how and when companies disclose breaches, as previously, timelines were inconsistent across industries and jurisdictions.
Balancing Security With Transparency
This clash highlights a growing tension between regulatory oversight and operational security in an era of rising cyber threats. While transparency is crucial for investors, real-time disclosure may expose companies to further risks and complicate incident response efforts.
Banking groups are not against cybersecurity disclosure—but they want flexibility and case-by-case discretion.
They propose amending the rule to allow longer disclosure periods, or exempting systemically important financial institutions.
What Comes Next?
The SEC has yet to respond to the petition, but legal experts predict the issue could escalate to Congress or federal courts if no compromise is reached.
As cyber threats intensify, the debate over how—and when—to disclose them is far from over.
This could become a defining battle over corporate cybersecurity and regulatory power in 2025.