Reforming Regulation S-K’s Cybersecurity Disclosures (Joint Trades)
Summary
SIFMA, The American Bankers Association (ABA), Bank Policy Institute (BPI), Independent Community Bankers of America (ICBA), and Institute of International Bankers (IIB) provided comments to the SEC in response to Chair Atkins’s request for public input on reforming Regulation S-K.
Excerpt
Our members are subject to extensive cybersecurity oversight and incident-reporting regimes administered by prudential regulators and federal agencies, in addition to the public disclosure requirements of the Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule. 1 This letter focuses on Item 106 of Regulation S-K and the related cybersecurity incident disclosure mandate on Form 8-K, Item 1.05. 2
We welcome the Commission’s comprehensive review of Regulation S-K and its effort to restore a materiality-centered, principles-based disclosure framework whereby companies assess disclosure obligations based on longstanding materiality standards. As noted in the recently released Cyber Strategy for America, cyber regulations should be streamlined to “reduce compliance burdens, address liability, and better align regulators and industry globally.” 3 As part of the Commission’s review, we urge the Commission to rescind Item 106.
We believe Item 106 places outsized weight on one risk type and requires disclosure of operational details inconsistent with a principles-based framework. Rescission of Item 106 would streamline disclosure and “eliminat[e] both the burdensome and the impractical,” in alignment with Chair Atkins’s strategy for the Commission’s regulatory frameworks. 4 In the event the Commission does not rescind Item 106, we recommend that the Commission narrow and refocus Item 106 so that it elicits concise, decision-useful and materiality-centered information about cybersecurity risks and risk management, without burying investors in immaterial detail. In addition, as part of the Commission’s review, we urge the Commission to rescind Form 8-K, Item 1.05. We believe that the pre-existing principles-based disclosure framework (including Form 8-K, Item 8.01 and periodic reporting requirements) adequately addresses disclosure of material cybersecurity incidents, as described in the joint petition for rulemaking submitted by our organizations last year. 5
I. The Commission Should Rescind Item 106
In 2022, our associations explained that the proposed cybersecurity rules raised serious policy and practical concerns, including the following: (1) the risk that bespoke, topic-specific line items for cybersecurity incidents would privilege one type of risk over others in a way that is inconsistent with the Commission’s longstanding, principles-based regime11 and (2) security risks from prescriptive disclosures about cybersecurity. Although the Commission acknowledged many of the comments it received in the final rule, it did not resolve several issues with Item 106’s requirements, including the concerns raised by our associations. These issues now warrant reconsideration in the context of Regulation S-K reform, particularly as compliance with Item 106’s disclosure requirements has negatively impacted the members of our associations. For example, our member financial services firms devote significant attention and resources away from other important priorities to complying with Item 106’s detailed disclosure requirements—leaving less time for other strategic security initiatives to fortify firm defenses. At the same time, the growing patchwork of overlapping cybersecurity rulemakings across federal agencies and state regimes further risks the diversion of finite resources away from proactive threat detection and toward prescriptive compliance exercises. Smaller and mid-sized financial services firms, in particular, find compliance challenging given their more limited resources.
- Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896, 51945 (Aug. 4, 2023) [hereinafter the “Cybersecurity Disclosure Rule”].
- The recommendations in this letter should apply equally to foreign private issuers (“FPIs”). FPIs are subject to cybersecurity governance and risk management disclosure requirements through Form 20-F Item 16K, which incorporates the substance of Regulation S-K Item 106. Similarly, FPIs are required to furnish on Form 6-K material cybersecurity incident disclosures, similar to the disclosure mandated by Form 8-K, Item 1.05. Any actions taken by the Commission to implement the recommendations herein should therefore be reflected in the parallel disclosure requirements in Form 20-F Item 16K and Form 6-K.
- The White House, President Trump’s Cyber Strategy for America (Mar. 6, 2026), https://www.whitehouse.gov/wpcontent/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf.
- Chair Paul S. Atkins, U.S. Sec. & Exch. Comm’n, Prepared Remarks Before SEC Speaks (Mar. 19, 2026), https://www.sec.gov/newsroom/speeches-statements/atkins-remarks-sec-speaks-031926-prepared-remarks-secspeaks.
- American Bankers Assoc., Bank Policy Institute, Securities Industry and Financial Markets Assoc., Indep. Cmty. Bankers of America, and Inst. of Int’l Bankers, Petition for Rulemaking on the Cybersecurity Rick Management, Strategy, Governance, and Incident Disclosure Rule (May 22, 2025), https://bpi.com/wpcontent/uploads/2025/05/Joint-Financial-Trades-Final-Petition-for-Rulemaking-on-Cybersecurity-RiskManagement-Strategy-Governance-and-Incident-Disclosure-Rule_.pdf [hereinafter Petition for Rulemaking]