American banking and financial industry advocacy groups are urging the Securities and Exchange Commission (SEC) to reconsider its cybersecurity incident disclosure rule, arguing it hampers more than it helps. In a letter dated May 22, five major banking associations, spearheaded by the American Bankers Association, contended that the requirement to disclose cyber incidents publicly conflicts with confidential protocols designed to safeguard critical infrastructure and alert potential victims.
A Clash of Priorities
The SEC’s Cybersecurity Risk Management rule, rolled out in July 2023, mandates swift public disclosure of cybersecurity events, like data breaches or hacks. Yet, the banking groups, including the Securities Industry and Financial Markets Association and the Bank Policy Institute, claim the rule’s complex disclosure mechanisms disrupt incident response efforts and muddle the waters between mandatory and voluntary disclosures.
“This rule was flawed from the get-go,” an industry insider close to the discussions remarked. “It creates a labyrinth of confusion and leaves companies vulnerable to cybercriminals weaponizing disclosures as a form of extortion.”
Moreover, the groups argue that the SEC’s requirements exacerbate insurance and liability problems, potentially hindering effective internal communications and routine information exchanges. They specifically want “Item 1.05” removed from the SEC’s Form 8-K and 6-K reporting requirements, arguing that investor interests would be better served through existing frameworks.
Crypto Companies in the Crosshairs
The rule’s implications stretch beyond traditional banking, affecting publicly traded crypto firms such as Coinbase. Earlier this month, Coinbase found itself entangled in a cybersecurity debacle when hackers bribed its support staff to leak user data, a breach that has already spawned multiple lawsuits. As explored in our recent coverage of Coinbase’s legal battles with the IRS, the company is no stranger to regulatory challenges.
“The disclosure process is a double-edged sword,” a cybersecurity expert familiar with cryptocurrency markets noted. “While transparency is crucial, premature disclosures can amplify the chaos and financial fallout.”
Coinbase, refusing to bow to a $20 million ransom demand, revealed that the breach might cost up to $400 million in damages. If the SEC retracts its disclosure requirement, companies like Coinbase might gain more leeway in timing their public announcements, potentially mitigating immediate financial repercussions.
Historical Context and Future Implications
The SEC’s rule was born out of a pressing need to bolster transparency and investor protection in an era where cyber threats are increasingly sophisticated. However, the banking groups’ petition underscores a critical tension between transparency and operational security. For a deeper dive into the regulatory implications, see our coverage of how the SEC can simplify regulations.
Looking ahead, the debate raises pertinent questions about the balance between regulatory oversight and corporate autonomy. Will rescinding the rule indeed fortify the financial sector’s cybersecurity posture, or will it leave investors in the dark? As the SEC mulls over the petition, stakeholders across both traditional and crypto markets await with bated breath.
In the ever-evolving landscape of cybersecurity, striking the right balance remains a moving target. Whether the SEC will heed the banking groups’ call is uncertain, but the conversation highlights a pivotal moment in defining future cybersecurity governance.
Source
This article is based on: Banking groups ask SEC to drop cybersecurity incident disclosure rule
Further Reading
Deepen your understanding with these related articles:
- Crypto Coalition Tells SEC Staking Is ‘Essential Good,’ Not a Security
- US crypto groups urge SEC for clarity on staking
- U.S. Congress Braces for Intense Debate Over Crypto Legislation This Summer (openai)
Steve Gregory is a lawyer in the United States who specializes in licensing for cryptocurrency companies and products. Steve began his career as an attorney in 2015 but made the switch to working in cryptocurrency full time shortly after joining the original team at Gemini Trust Company, an early cryptocurrency exchange based in New York City. Steve then joined CEX.io and was able to launch their regulated US-based cryptocurrency. Steve then went on to become the CEO at currency.com when he ran for four years and was able to lead currency.com to being fully acquired in 2025.
