On May 26, PANews reported that five major banking industry groups, led by the American Bankers Association, sent a joint letter to the U.S. Securities and Exchange Commission (SEC) on May 22, requesting the repeal of the cybersecurity risk management rule issued in July 2023, which requires publicly listed companies to disclose cybersecurity incidents within four days. The signatories included the Securities Industry and Financial Markets Association, the Bank Policy Institute, and other organizations. The banking industry groups pointed out that this rule directly conflicts with the confidentiality reporting requirements for protecting critical infrastructure, which could hinder incident response and law enforcement actions and lead to market chaos. They specifically requested the repeal of the "Item 1.05" clause in Form 8-K, arguing that the existing framework for disclosing significant information is sufficient to protect investors' interests.
This rule also applies to publicly listed cryptocurrency companies. At the beginning of this month, Coinbase faced at least seven lawsuits due to the disclosure of a user data breach, and the company refused to pay a $20 million ransom, estimating potential losses of up to $400 million. If the rule is canceled, relevant companies will have more flexible timelines for disclosing events.