U.S. financial institutions say mandatory disclosure within four days could jeopardize national security, aid hackers, and hinder incident response.
America’s biggest banking groups are clashing with the Securities and Exchange Commission over a cybersecurity rule they say does more harm than good. On May 22, five powerful industry associations formally asked the SEC to scrap a regulation that forces publicly traded companies to disclose cyber incidents within just four days.
The petition, led by the American Bankers Association, argues that the rule undermines existing national security protocols and could be exploited by cybercriminals. Their message is blunt: this policy puts everyone—from financial institutions to consumers—at greater risk.
Rule intended to protect investors, but banks say it backfires
The SEC’s Cybersecurity Risk Management rule was adopted in July 2023 with investor protection in mind. Companies were instructed to publicly disclose any “material” cybersecurity breaches within four business days. The aim was transparency—keeping shareholders in the loop.
But major banking organizations, including the Securities Industry and Financial Markets Association and the Bank Policy Institute, say the rule’s consequences have been anything but reassuring.
One of their central arguments? The rule clashes with confidential federal protocols designed to shield critical infrastructure and respond swiftly to threats without tipping off bad actors. In other words, what helps investors might hurt national cyber defense.
Banking lobby says disclosure timeline is too rigid
According to the letter sent to the SEC, the four-day clock is “narrow and complex,” often forcing companies to choose between complying with federal agencies and rushing into potentially harmful public disclosures.
The rule’s rigidity, they argue, doesn’t reflect the real-world complexity of cyberattacks, which often take weeks or months to fully understand.
Here’s what they say happens instead:
-
Law enforcement investigations are disrupted.
-
Hackers are alerted before a breach is contained.
-
Disclosures fuel panic and confusion among investors and customers.
And perhaps more concerning—they claim that ransomware gangs are now leveraging the SEC rule against victims, threatening early public exposure unless ransom demands are met.
Ransomware gangs are weaponizing transparency, banks say
Cybercriminals are smart. They adapt fast. The banks say that some groups now use the disclosure rule as blackmail.
Here’s the tactic: Hackers breach a company, then threaten to leak the news early—knowing full well the victim is under pressure to file an SEC disclosure soon. The psychological impact alone can be devastating.
“The public disclosure requirement is being weaponized,” the banking groups said. It’s no longer just about stealing data or holding systems hostage. It’s about manipulating rules meant for public good to further criminal ends.
This isn’t theoretical. In 2023 and 2024, several high-profile ransomware incidents saw threat actors reference SEC rules in extortion messages.
Financial institutions raise fears of liability chaos
Insurance coverage, lawsuits, and boardroom accountability—these are already tangled messes when cyberattacks hit. But the banks argue that the SEC’s rule adds more chaos than clarity.
They claim companies are now facing liability from all sides: government regulators, shareholders, and even their own insurers.
What’s worse, the pressure to disclose too early might result in inaccurate or incomplete statements. That could later become ammunition in litigation—an outcome nobody wants during a crisis.
For many executives, this early disclosure mandate discourages internal transparency. Why speak candidly in emails or messages if your words might end up in a public filing before the situation is fully understood?
A delicate balance: public interest vs national security
The SEC has maintained that public investors have a right to know when their data, or the systems behind the companies they own, have been breached.
But the banking industry says this transparency has to be weighed carefully against public safety.
Below is a breakdown of the five organizations asking for the rollback:
| Banking Group Name | Represented Interests |
|---|---|
| American Bankers Association (ABA) | Over 4,000 banks across the U.S. |
| Securities Industry and Financial Markets Assoc. | Broker-dealers, investment banks |
| Bank Policy Institute | Largest U.S. commercial banks |
| Independent Community Bankers of America | Smaller, local community banks |
| Institute of International Bankers | Foreign banks with U.S. operations |
The group says the SEC’s current framework “chills routine info sharing,” blocks cross-agency collaboration, and ironically weakens the very infrastructure it aims to protect.
What happens next? SEC hasn’t blinked—yet
So far, the SEC hasn’t indicated any willingness to repeal the rule. But it’s clearly under pressure.
Industry voices are getting louder, and not just from banking circles. Cybersecurity experts have echoed concerns, warning that breach disclosures need nuance—not a blanket timeline.
Could a compromise be on the table? Possibly. Analysts speculate the SEC might revise the delay mechanisms or carve out exceptions for financial institutions.
One thing’s clear: The battle between transparency and tactical discretion is just heating up. And it’s not only about regulations—it’s about how America’s biggest institutions respond when the alarms go off at 2 a.m., and someone has to decide whether to fight the fire or file a report.
