SEC Cyber Disclosure Rule Endangers Victims and Fails to Advance Investor Protections

Washington, D.C., May 22, 2025 – A coalition of trade associations, including Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers and Securities Industry and Financial Markets Association, reiterated calls today for the Securities and Exchange Commission to rescind its cyber incident disclosure rule. In a petition to the SEC, the groups state that the rule puts companies that fall victim to cyberattacks at greater risk and undermines the SEC’s primary goal of protecting investors.

“These requirements impose additional risks, cost and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” the associations wrote.

 Key Concerns Raised by the Associations:

• Exposes Victims to Further Harm: The rule requires public companies to prematurely disclose cyber incidents – such as a data breach or cyberattack – even if the vulnerability is unremediated and ongoing. This could further harm the victims and lead to additional attacks.
• Gives Ransomware Criminals a Tool for Extortion: Ransomware groups use this rule to extort victims for additional financial gain. For example, ransomware group AlphV took the unprecedented step of reporting its own victim, MeridianLink, to the SEC after the rule was enacted as a ransom payment extortion tactic.
• Strains National Security and Law Enforcement Resources: The pathway for obtaining a law enforcement exemption is narrow and complex. This case-by-case determination, which relies on preliminary and incomplete information, diverts critical resources away from more pressing national security and law enforcement matters.
• Creates Market Confusion: Companies face significant uncertainty in distinguishing between what constitutes a required disclosure and what can or should remain confidential. The SEC has repeatedly attempted to resolve these concerns, which has created an even more complex patchwork of unclear compliance expectations.
• Chills Internal Communication: Given the threat that the SEC could investigate a disclosure decision, employees may hesitate to report or discuss cyber risks internally for fear that their communications may be misconstrued as bearing on materiality or create litigation risk.

What’s the Background?

The SEC adopted its “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule” on July 26, 2023. This rule requires public companies to disclose material cyber incidents within four business days, adding to an already complex list of reporting and disclosure obligations that financial institutions and other critical infrastructure sector companies must follow. The Department of Homeland Security issued a report in 2023 identifying 45 different federal cyber incident reporting requirements, administered by 22 federal agencies.

To access a copy of the letter, please click here.

-30-

Media Contacts:

• Austin Anton, Bank Policy Institute, austin.anton@bpi.com
• Sarah Grano, American Bankers Association, sgrano@aba.com
• Garrett Hawkins, Institute of International Bankers, ghawkins@iib.org
• Nicole Swann, Independent Community Bankers of America, Nicole.Swann@icba.org
• Katrina Cavalli, Securities Industry and Financial Markets Association, kcavalli@sifma.org

About ABA

The American Bankers Association is the voice of the nation’s $24.1 trillion banking industry, which is composed of small, regional and large banks that together employ approximately 2.1 million people, safeguard $19.2 trillion in deposits and extend $12.7 trillion in loans.

About BPI

The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

About ICBA

The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation’s community banks through effective advocacy, education, and innovation.

As local and trusted sources of credit, America’s community banks leverage their relationship-based business model and innovative offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers’ financial goals and dreams. For more information, visit ICBA’s website at icba.org.

 About the Institute of International Bankers

The Institute of International Bankers (IIB) represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions enhance the depth and liquidity of U.S. financial markets and contribute significantly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures.

About the Securities Industry and Financial Markets Association

SIFMA is the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S. and global capital markets. On behalf of our industry’s one million employees, we advocate on legislation, regulation and business policy affecting retail and institutional investors, equity and fixed income markets and related products and services. We serve as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development.  SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA).