A coalition of leading US financial industry associations is calling on the Securities and Exchange Commission (SEC) to rescind its cyber incident disclosure rule, arguing that the policy increases risks for companies and fails to protect investors. The rule, which has been in effect for two years, mandates that publicly listed firms disclose material cybersecurity incidents within four business days.
While SEC Chair Gary Gensler initially touted the rule as beneficial to investors and markets, the Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers, and Securities Industry and Financial Markets Association disagree. In a formal petition, the groups argue that the regulation exposes cyberattack victims to further harm by forcing premature disclosures—often before systems are secured or vulnerabilities are patched.
The associations claim that early disclosure can alert cybercriminals, undermine national security efforts, and create unnecessary confusion in the marketplace. They cite a troubling precedent: the AlphV ransomware gang reportedly exploited the rule by filing a complaint with the SEC against one of its victims, MeridianLink, as a pressure tactic during ransom negotiations.
Beyond security concerns, the petition also contends that the rule increases compliance costs and complicates internal communications, all while failing to provide investors with actionable, meaningful insights. The industry groups argue that the regulation contradicts the SEC’s own mission of investor protection and capital formation.