Banks Say SEC’s Four-Day Cyber Rule Risks National Security, Undermines Law Enforcement
According to ChainCatcher, five major U.S. banking associations — led by the American Bankers Association (ABA) — have formally requested the U.S. Securities and Exchange Commission (SEC) to repeal its Cybersecurity Risk Management Rules, which mandate that publicly listed companies disclose material cybersecurity incidents within four days.
In a joint letter, the groups argue that the July 2023 regulation, and specifically Item 1.05 of Form 8-K, could compromise national security and interfere with law enforcement operations, particularly in the context of protecting critical infrastructure and sensitive financial systems.
Key Concerns From the Banking Sector
The coalition outlined several objections to the rule:
Conflict with Confidentiality Requirements: Public disclosure within four days could violate federal confidentiality protocols tied to national security and infrastructure protection.
Hindrance to Incident Response: Premature disclosure may limit a firm’s ability to effectively assess, contain, and remediate ongoing cybersecurity threats.
Market Confusion and Investor Risk: The groups warned that rushed disclosures could lead to misinterpretation, panic selling, and ultimately harm investor confidence.
Overlapping Regulations Already Exist: The letter emphasizes that existing regulatory frameworks—such as those enforced by banking and financial oversight agencies—already provide adequate investor protection and incident reporting.
The rule also applies to publicly listed cryptocurrency firms, raising concerns among blockchain and fintech platforms subject to SEC oversight.