Banking Lobby Fights SEC Cyber Rule—Claims It’ll ’Help Hackers’ Instead of Stopping Them

Wall Street’s biggest players are pushing back hard against the SEC’s new cyber disclosure requirements—arguing that transparency could actually expose vulnerabilities to bad actors. Because nothing says ’secure’ like keeping breaches quiet, right?

The irony? Banks love preaching ’trust’ while fighting rules that would force them to disclose breaches faster than a crypto exchange rug-pull. National security or just avoiding embarrassment? You decide.

One thing’s clear: When bankers and regulators clash, the only winners are lawyers—and maybe hackers.

U.S. Banking Groups Warn SEC Cyber Disclosure Rule Aids Hackers

The SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule, adopted in July 2023, was intended to enhance transparency and standardize how public companies communicate cybersecurity threats to investors.

But critics say it is achieving the opposite. The petition emphasizes that registrants are forced to report incidents even when they remain ongoing, investigations are incomplete, and systems have not been fully remediated, thus potentially handing attackers an advantage.

The rule has led to significant confusion over how and when companies should disclose incidents. Despite the SEC’s attempts to clarify through Compliance & Disclosure Interpretations, comment letters, and commissioner guidance, registrants are still struggling to determine whether to report under Item 1.05 and Item 8.01.

According to the trade groups, this uncertainty has made the rule ineffective and legally risky, exposing firms to litigation and reputational harm while failing to generate actionable information for investors.

Notably, the groups warned that ransomware gangs and other cybercriminals have started weaponizing the SEC’s disclosure timeline, using the threat of public exposure as leverage to extort victims.

“The incident disclosure requirement has been exploited by ransomware criminals to further malicious objectives,” the petition notes, adding that it may even increase the likelihood of follow-up attacks once firms are known to be vulnerable.

The petition’s Core is a warning that the SEC’s disclosure rule undermines federal cybersecurity strategy.

The groups further argue that releasing details of material cyber incidents into the public domain too early may conflict with confidential reporting requirements under laws like the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).

Investors Better Served by Existing Disclosure Frameworks

Despite the SEC’s intent to enhance investor protection, the petition insists that the current cyber incident disclosure rule fails to provide “decision-useful” information to the market.

Instead, it risks creating misleading narratives based on incomplete facts while harming the institutions it seeks to regulate.

The banking groups argue that existing disclosure obligations such as Regulation S-K Item 105 and the pre-existing materiality framework already compel companies to report significant risks, including cybersecurity threats, in a way that preserves investor interests without compromising national security or company resilience.

They assert that investors will still be protected without Item 1.05.

“We believe they WOULD be better served through the pre-existing disclosure framework for reporting material information—which may include material cybersecurity incidents—while better mitigating the concerns raised above,” the letter concludes.

The SEC has yet to respond to the May 22 petition publicly.As the SEC weighs its next move, the outcome could reshape how U.S. companies balance transparency with cybersecurity resilience in an increasingly hostile ecosystem.