Banks Ask SEC to Scale Back Cyber Rule
The banking industry is asking the Securities and Exchange Commission to rescind its 2023 rules requiring companies to disclose more details about the cybersecurity incidents they suffer, presumably figuring that the Trump-tilted leaders of today’s SEC will be predisposed to agree.
A collection of banking trade groups sent a letter to the SEC late last week, asking it to rescind the rules requiring publicly traded companies to disclose “material cybersecurity incidents” in a Form 8-K filing within four days of the company deciding an incident is indeed material.
“These requirements impose additional risks, cost, and complexity on SEC registrants,” the banking groups wrote, “… while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors.”
The letter may have come from the banking industry, but let’s be honest: a request like this was inevitable. The SEC cyber disclosure rules tell companies what they have to do, and companies hate being told what to do, especially when it involves them confirming to the public that they messed something up. So now they’re asking the Project 2025 folks running the SEC to rescind the rules. They’ll probably win.
We should note that the bank industry letter asks the SEC to rescind only the requirement for prompt disclosure of cybersecurity incidents. The 2023 rules also require companies to make annual disclosures in the 10-K of their overall cybersecurity risks and risk management efforts. The banking industry isn’t challenging those annual disclosure requirements (at least, not now), although “we continue to have significant concerns regarding the rule as a whole.”
What happens next? Typically petitions for rulemaking are forwarded to the appropriate SEC office for consideration, which in this case would be the Division of Corporation Finance. Those division staffers review the proposal and make their own recommendations to SEC commissioners; and the commissioners (or really just the SEC chairman) decide what to do next. That process could take several months or linger for years, depending on whatever else the SEC has on its agenda.
Why the Banking Industry Hates This
Essentially, the banking industry hates the SEC disclosure rule because (a) banks already labor under several other cybersecurity disclosure obligations, each with different reporting timelines and triggering thresholds; and (b) banks (and other SEC registrants, for that matter) struggle to distinguish between “material” security events that must be disclosed, and other security events that don’t.
For example, the Federal Housing Administration adopted a cybersecurity disclosure policy in 2024 that requires FHA-approved lenders (think community banks issuing home mortgage loans) to report “significant” cybersecurity incidents to the FHA within 12 hours. Banks (and other critical infrastructure sectors) also labor under the Cyber Incident Reporting for Critical Infrastructure Act, which will go into effect later this year. That law gives cybersecurity regulators only 24 hours to confidentially warn potential targets of known security threats — but if an SEC registrant discloses an attack in an 8-K filing, any coordinated response plan to warn other companies could fall apart.
The letter also laments confusion about material security incidents, which should be filed under Item 1.05 of the 8-K; versus immaterial incidents, which can be filed under the catch-all Item 8.01 instead.
At first, the letter said, companies were overly cautious and disclosed way too many events as material incidents under Item 1.05. That prompted the SEC to issue clarifying guidance in May 2024, basically telling filers to calm down and only use Item 1.05 for incidents that were truly material. After that guidance, “the pace and character of disclosure shifted meaningfully,” the banking industry said, but that left investors “to subjectively divine the difference in degree of a company filing under Item 1.05 or 8.01.”
At least, that’s what the banking industry says, and they do raise fair points. The United States does operate under a confusing thicket of cybersecurity disclosure rules, and everyone — investors, companies, the public at large — would be better served by a more thoughtful disclosure regime. The ideal would be Congress passing a thoughtful law that applies to all organizations logically and uniformly.
The reality, however, is that Congress is not going to pass such a law any time soon because Congress can barely agree on anything. Meanwhile, cybersecurity has become so important to corporate success that investors do have a reasonable right to know how well the company is managing that risk. Would reducing required disclosures in favor of a more principles-based, management-gets-to-decide approach really serve that interest?
Question for GRC Types: Who Cares?
GRC professionals should also remember that regardless of what the SEC might do about disclosure of cybersecurity incidents — you still want all the capabilities necessary to diagnose those incidents.
Think about it. The adopting release says companies will need to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.” Wouldn’t you want all the right policies, procedures, and tools in place to do all that anyway, so you could describe the material incident to your board, management team, key business partners, or other important stakeholders?
So as a practical matter, if the SEC does rescind this part of the cyber disclosure rule, that might be a big deal for the corporate secretary, the head of investor relations, or other folks on the legal side of the enterprise. But for the CISO, GRC team, and internal auditor, the SEC’s actions may not have much consequence because you’d still want all that cyber-diagnostic capability anyway. Or if management does want to start slashing the GRC and security budgets, you may want to call your recruiter.