- Key insight: The same five trade groups are lobbying to kill the SEC's cyber-incident disclosure rule and to preserve a confidential threat-sharing law, which puts their distinction between sharing and disclosing to the test.
- What's at stake: With SEC Chair Paul Atkins reviewing the rule and a commissioner who dissented from it now in the majority, the disclosure requirement banks themselves live under could be rescinded.
- Expert quote: Mark Dalton of the R Street Institute, whose group backed mandatory incident reporting, says calling a public filing a roadmap for attackers "is a stretch" and that the trades treat sharing and disclosure "as substitutes for one another when they're complementary."
Overview bullets generated by AI with editorial review.
The banking industry's biggest trade groups want public companies to stop announcing serious cyberattacks to the public but keep sharing cyberattack information privately with the government.
The American Bankers Association, the Bank Policy Institute, the Independent Community Bankers of America and the Institute of International Bankers are behind both campaigns, as is the Securities Industry and Financial Markets Association, or SIFMA.
The groups are pressing the Securities and Exchange Commission to scrap a
At the same time, they spent the past year
One flow of information makes everyone safer, they argue. The other hands attackers a weapon.
The argument came together in a
For banks, this is not an abstract lobbying fight. Many banks are also public companies.
The rule the industry wants to kill requires these publicly traded banks to disclose a cybersecurity incident within four business days of determining the incident is "material," meaning serious enough that a reasonable investor would want to know about it.
That rule may soon get a second look from the SEC, where Chair Paul Atkins
The banks say the line between sharing cyber information with regulators and disclosing it to investors is a matter of security. One expert says they are treating the two as substitutes rather than complementary.
Information exchange over public disclosures
Bankers' push to save the confidential-sharing law started in a
The five banking groups (plus seven other industry coalitions)
Letting it lapse, the 12 groups warned in the letter, "risks creating a chilling effect on this critical information exchange — leaving us all more vulnerable to nation-state attacks and cybercriminals."
They have gotten their way so far. The law
That reprieve runs out Sept. 30. Without another act of Congress, the same lapse fight will return this fall.
Two months after that letter, the same groups
The petition spells out how the banks square the two positions:
In practice, scrapping the rule would leave that confidential notice to regulators as a breached bank's main reporting duty. Regulators would still learn of a material hack in a timely manner; investors would not.
"The SEC's cyber incident public disclosure requirements create unintended consequences that undermine cybersecurity while the protections afforded by CISA 2015 enhance cybersecurity," said John Carlson, the ABA's senior vice president for cybersecurity regulation and resilience.
Reporting to federal regulators is appropriate, Carlson said, "given that the notification goes to the federal banking agencies and is not public."
Todd Klessman, a managing director at SIFMA, drew the same distinction.
Confidential sharing lets defenders act "without alerting bad actors to the existence of specific vulnerable networks or organizations," he said, while the SEC's rule "can create unintended risk by compelling public disclosure of sensitive details on cyber incidents."
Does a public filing actually hand attackers a roadmap?
The banks' case for scrapping the rule rests on calling a disclosure a roadmap for hackers. The R Street Institute, a Washington think tank that backed mandatory incident reporting, says that case is overblown.
The rule "does not require disclosure of indicators of compromise, what vulnerability was exploited, attack vectors, etc.," said Mark Dalton, a senior director at R Street.
"To characterize 8-K disclosure as a roadmap to attackers is a stretch," Dalton said. "There's no requirement for firms to publish forensic logs, simply that an incident occurred."
The rule's mechanics support this perspective. A company has to file only after it decides an incident is material, and the disclosure itself carries no technical detail: no description of the vulnerability, no fingerprints from the attack, no path in.
It reports, in plain terms, that something serious happened. SEC staff
The research on AI-enabled hacking points the same way, cutting hardest against the broadest version of the claim that disclosing an incident at all arms attackers.
Google's
The U.K.'s National Cyber Security Centre
There is also the question of how often the rule fires at all. According to a
The industry's answer
The banks' case for killing the rule is sharper than the collective statements from their trade associations suggest. It runs along two separate tracks.
The first is that the danger is not today's tightly controlled AI models (and those subject to study in 2024 and 2025) but tomorrow's.
Anjelica Dortch, the ICBA's vice president for operational risk and cyber policy, said the worry is "increasingly capable open-source AI models" with "fewer safeguards."
Even a detail-free filing, Dortch said, "can serve as a signal to autonomous AI-driven reconnaissance systems that a potentially vulnerable institution exists," setting off real-time monitoring of SEC filings, automated scanning of a bank's systems and "automated war gaming at scale."
The danger, in Dortch's telling, is not any single disclosure but the searchable public database of them, a map of wounded companies that "AI-enabled adversaries can use to identify and exploit institutions at scale."
The second track is about leverage.
For a company already in ransom talks with its attacker, a required filing "gives the threat actor the potential upper hand in negotiations precisely because it identifies that the outage or data theft is material," according to Erez Liebermann, a partner at Debevoise & Plimpton and a former SEC enforcement official.
Attackers "have explicitly referred to the SEC's disclosure requirements in negotiating with victim companies," Liebermann said.
The banks' petition cites one such case, in which a ransomware gang
Both Dortch and Liebermann have a stake in the outcome. Dortch speaks for one of the banking groups that filed the petition, and Liebermann defends corporate clients facing these disclosure questions. His firm helped prepare a separate letter urging the rule's repeal.
Their argument runs head-on into R Street's. Where the think tank sees a filing that gives attackers nothing, Dortch casts the filing itself as the starting gun.
Where the line gets drawn
R Street's Dalton concedes that the banks' argument is not simply one of convenience.
"There is definitely a principled line," he said, "and that line runs between CISA 2015 and the SEC rule."
But, he is still skeptical of the position. "The trades are treating these as substitutes for one another when they're complementary," Dalton said.
Confidential sharing transmits technical detail between industry defenders in a legally protected manner, he said. Public disclosure gives investors information about risk.
Scrapping the SEC rule, Dalton said, would make "incident frequency and severity invisible to the public," removing "the mechanism that allows the market to price how well a firm manages cyber risk over time."
The next round of the SEC's disclosure review will decide whether the regulator in charge of the rule agrees. Banks appear positioned to find a friendly audience there.
The fight over the material incident disclosure rule sits inside Chair Atkins's deregulation review, and Commissioner Hester Peirce, who
The SEC did not immediately respond to a request for comment on the rescission petition.
