A coalition of major U.S. banking associations, led by the American Bankers Association (ABA), has formally petitioned the Securities and Exchange Commission (SEC) to rescind a rule mandating public companies to disclose material cybersecurity incidents within four business days. The groups argue that this requirement poses significant risks to national security and hampers effective incident response.
In a letter dated May 22, the ABA, along with the Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and the Institute of International Bankers, contended that the SEC’s Cybersecurity Risk Management rule, implemented in July 2023, conflicts with existing confidential reporting protocols designed to protect critical infrastructure and assist potential victims.
The petition specifically calls for the removal of “Item 1.05” from the SEC’s Form 8-K reporting requirements and the corresponding Form 6-K for foreign issuers. The groups assert that existing frameworks already require the disclosure of material information, including cybersecurity incidents, and that the additional mandate may do more harm than good.
This move underscores the financial sector’s concerns about balancing transparency with security, emphasizing the need for regulations that support both investor protection and effective cybersecurity practices.
