May 26, 2025

Banking Groups Urge SEC to Scrap Cyber Rule

Get More CoinRock

A coalition of leading U.S. banking associations is urging the Securities and Exchange Commission (SEC) to revoke a key cybersecurity regulation requiring public companies to report material cyber incidents within four business days. In a letter sent on May 22, the group argued the rule poses national security risks and disrupts coordinated cyber threat responses.

Led by the American Bankers Association (ABA), the letter was co-signed by four other major financial groups: the Securities Industry and Financial Markets Association (SIFMA), the Bank Policy Institute, the Independent Community Bankers of America, and the Institute of International Bankers. Together, they claim the SEC’s Cybersecurity Risk Management rule, introduced in July 2023, directly conflicts with confidential reporting structures designed to protect critical infrastructure and alert potential victims.

The rule, they argue, was flawed from inception. Its rigid timeline, limited exceptions for law enforcement, and narrow mechanisms for delaying disclosures are said to interfere with real-time incident response, create confusion between mandatory and voluntary reporting, and may even embolden cybercriminals.

“Threat actors have begun using mandatory disclosures as leverage—weaponizing transparency to pressure victims into payouts,” the letter stated.

It also warned that forced disclosures could complicate insurance coverage, increase legal liabilities, and deter internal teams from freely communicating during high-stress breach responses.

The financial sector’s pushback comes as cyber threats escalate globally and regulators weigh how to balance transparency with operational resilience. The SEC has yet to respond to the repeal request, but the growing friction between compliance mandates and real-world security operations suggests this debate is far from over.

Repeal Push Cites Coinbase Breach, Confusion

In a mounting effort to unwind the SEC’s cybersecurity disclosure rule, five of the United States’ top banking trade groups are calling on the Commission to eliminate “Item 1.05” from Form 8-K and the corresponding Form 6-K reporting standards. The controversial item mandates that public companies report significant cybersecurity breaches within four business days—an obligation the financial sector says is undermining both security and regulatory clarity.

Form 8-K is the SEC’s mechanism for alerting investors to key corporate events, including data breaches, that could materially affect a company’s performance or valuation. However, the petitioners argue that cybersecurity incidents are already adequately covered under existing material disclosure rules—and that removing Item 1.05 would better protect investor interests without compromising transparency.

The groups’ formal petition included several examples of stakeholder confusion and cited real-world breaches to highlight the rule’s negative impact. Among the most prominent is Coinbase, the publicly listed crypto exchange that recently disclosed a phishing attack in which hackers bribed customer support staff to leak sensitive user data. The breach triggered at least seven lawsuits and exposed the firm to potential damages of up to $400 million.

Coinbase’s legal fallout has become a key talking point for opponents of Item 1.05, who argue that rushed disclosures—made under pressure from regulatory deadlines—can expose companies to premature legal risks and hinder internal coordination. Coinbase notably refused a $20 million ransom from the attackers, choosing instead to disclose the incident, which may have worsened its legal exposure under current reporting rules.

If the SEC agrees to rescind the rule, firms like Coinbase and others in the fintech and banking sectors could gain more flexibility in how and when they disclose cyber breaches—potentially reducing legal risks while enabling more effective response strategies. The debate now centers on how to balance investor rights with operational security in an age of increasingly sophisticated cyber threats.