A coalition of major U.S. financial trade associations is urging the Securities and Exchange Commission (SEC) to revoke its cyber incident disclosure rule, citing concerns that it harms rather than protects companies and investors.
The rule, implemented two years ago, mandates that publicly traded companies disclose material cyber incidents within four business days. While initially introduced to promote transparency and investor confidence, critics argue it adds unnecessary cost and complexity to already strained organizations.
In a formal petition, groups including the American Bankers Association, Bank Policy Institute, and Securities Industry and Financial Markets Association argue that the rule forces premature disclosure of breaches before vulnerabilities are addressed, putting companies at greater risk of follow-on attacks. They claim this rush to report could interfere with national security efforts, strain law enforcement resources, and disrupt internal crisis response processes. Moreover, rather than aiding investors, they say the rule could generate confusion and reduce the quality of available information.
The petition also raises alarm about unintended consequences, including cybercriminals exploiting the rule for leverage. One cited case involved the AlphV ransomware group reporting its victim to the SEC as a pressure tactic to demand payment. The trade associations contend that the rule not only heightens risk but also undermines the SEC’s broader mission by creating operational burdens without providing truly actionable information for investors.