Rethink cybersecurity disclosure rule, SIFMA urges SEC

A coalition of financial industry trade associations is calling on the Securities and Exchange Commission to roll back key portions of its cybersecurity disclosure rule, arguing that current requirements force companies to make premature public statements that could harm investors and empower bad actors.

In a joint petition last week, the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and the Institute of International Bankers requested that the SEC rescind its Form 8-K Item 1.05 rule. That provision requires public companies to disclose material cybersecurity incidents within four business days of determining their significance.

In its statement of enforcement priorities for 2025, the SEC highlighted risks from cyberattacks and the threat of operational disruptions. Among other plans, the regulator said it would scrutinize how firms respond to cyber breaches such as ransomware attacks, as well as the practices they have in place to prevent such incidents.

The May 22 letter from SIFMA and other financial trade groups argued that the SEC's cyber incident reporting rule has led to rushed, speculative disclosures that confuse investors and expose companies to additional cyber risks and legal liability. They also warned that the rule undermines parallel efforts by other federal agencies to maintain confidential threat reporting processes.

"The premature disclosure has harmed registrants and at the same time failed to provide the market with meaningful or actionable information upon which to make investment decisions," the petition stated.

Among the industry's concerns is the potential for threat actors to exploit the rule’s requirements. In one cited example, the ransomware group AlphV reported one of its own victims, MeridianLink, to the SEC in 2023 for allegedly failing to disclose a breach.

According to the petition, “cybercriminals leverage regulatory requirements to further their malicious objectives,” increasing operational damage to affected firms.

The petition also argues that the rule’s narrow exemption process – requiring attorney general intervention to delay disclosure on national security grounds – is cumbersome and counterproductive during active incident response efforts.

Additionally, signatories said the threat of SEC enforcement and litigation has chilled both internal communication and external sharing of threat intelligence.

"We are aware of recent instances where the enforcement staff of the SEC requested extensive records of all communications about the incident, which, made during a rapidly evolving situation, risk being unfairly scrutinized in hindsight," the letter said.

The groups claim that investor protections would remain intact without the rule, since companies would still be required to disclose material cyber events under longstanding SEC guidance. They also note that many firms have voluntarily used Form 8-K Item 8.01 to disclose cyber incidents outside of the more rigid Item 1.05 framework.

Commissioner Hester Peirce, who has a history of dissenting against overregulation in cyber reporting, has also criticized its scope. In her statement at the time, she said the policy “continues to ignore both the limits to the SEC’s disclosure authority and the best interests of investors.”

The petition urges the SEC to return to a principles-based disclosure approach. “Disclosures under such a regime will contain more meaningful, decision-useful information for investors,” the groups wrote.