A coalition of US financial trade associations is urging the Securities and Exchange Commission (SEC) to retract its cyber incident disclosure rule, arguing that it endangers victims.
The rule, implemented two years ago, mandates public companies to disclose significant cyber incidents within four business days. At the time, former SEC chair Gary Gensler stated that the rule would “benefit investors, companies, and the markets connecting them.”
However, industry stakeholders have expressed concerns about the increased costs and complexities introduced by the regulation. In response, the Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers, and Securities Industry and Financial Markets Association submitted a petition.
The associations contend that rather than safeguarding firms and investors, the rule heightens the risk for cyberattack victims and undermines the SEC’s fundamental role of investor protection. By obligating public companies to disclose breaches before vulnerabilities are resolved, the SEC could inadvertently harm victims further. Additionally, the rule strains national security and law enforcement resources, creates market confusion, and discourages internal communication.
The petition also claims that the rule inadvertently provides ransomware groups with leverage to extort victims, citing the example of the AlphV gang using MeridianLink’s SEC filing as a tactic for ransom payment.
“These requirements impose additional risks, costs, and complexities on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while failing to produce the decision-useful information necessary to protect investors,” the groups assert.