Bankers Association’s attack on cybersecurity transparency

A coalition of banking industry associations, including SIFA, the American Bankers Association (ABA), Bank Policy Institute (BPI), and several other lobbying groups have made a disgraceful appeal to the SEC to eliminate the rule requiring public disclosure of material cybersecurity incidents within four days of detection.

This rule was established to ensure shareholders are properly informed and potential victims receive timely notice so they can take protective action, which wasn’t happening consistently before the rule took effect.

The lobbyists have cobbled together six supposed reasons for its request. Let’s be clear: they’re all bogus. Let’s break them down.

1. It conflicts with confidential reporting requirements designed to protect critical infrastructure and warn potential victims, thus compromising coordinated national cybersecurity efforts.

Absolutely not. A brief, non-sensitive summary submitted via an 8-K form does not endanger critical infrastructure. It allows investors to disinvest if they so choose without being at a disadvantage. Notifying victims does not “compromise” security, it enhances their ability to protect themselves.

2. It interferes with incident response and law enforcement investigations.

Wrong again. Reporting is separate from investigations. The attacker already knows the breach occurred. The bank knows. The only ones being kept in the dark are shareholders and the public.

3. It creates market confusion as companies struggle to distinguish between mandatory and voluntary disclosures.

This is just disingenuous. The rule is straightforward: if you’re a public company and you determine a breach is material, you must report it to the SEC within four days. That’s neither complex nor ambiguous.

4. Disclosures have been weaponized by ransomware actors to further malicious objectives and may increase cybersecurity threats.

They cited one case where an attacker informed the SEC that a company failed to disclose a breach within the 4-day window. First, the rule hadn’t taken effect at the time. Second, the lobbyist’s argument essentially boils down to: “If we break the rules, attackers might tell on us.” That’s not extortion, it’s accountability. If you’re worried about attackers pointing out regulatory violations, the solution isn’t to remove the rule. It’s to follow it.

5. Premature disclosures could have negative implications for insurance and liability, exacerbating financial and operational harm.

This one’s pure speculation. The 8-K notice is just a starting point. The facts unfold over time, and insurers evaluate the situation based on confirmed details, not the initial disclosure.

6. Public disclosure could chill candid internal communication and routine information sharing.

That’s laughable. In reality, it’s the desire to keep things quiet that stifles internal communication. Many companies try to limit awareness to as few people as possible. Disclosure forces communication—internally and externally—which is precisely what’s needed during a material incident.

Let’s be honest: the real reason for this lobbying effort is clear. The banking industry wants the ability to delay, spin-control the message to manage the investor fallout, or outright hide cybersecurity incidents from investors and the public. They are doing it for themselves, and not for investors or potential victim’s best interests.

The four-day requirement ensures companies act quickly, allocate resources for investigation, and avoid the risk of insider trading where a select few know about a material event before shareholders do. That risk has already materialized in the past – executives and even CISOs have faced charges for trading on undisclosed breach information. The rule exists to prevent exactly that kind of abuse.

And let’s not forget the victims. Timely disclosure allows individuals and organizations to take defensive measures, mitigate harm, and reassess their trust in the affected institution.

In the year and a half since this rule went into effect, we haven’t seen any meaningful harm arise from this disclosure rule. Quite the opposite. It has increased market fairness, transparency, and accountability.

The lobbyist’s position is nothing short of shameful. They’re putting forward weak, recycled arguments in the hopes of shielding their industry from public scrutiny, narrative damage, and financial consequences. This is an effort to maintain secrecy, avoid accountability, and reduce the pressure to invest in proper cybersecurity practices.

Business leaders and cybersecurity professionals should see this for what it is: a shady move to protect image and profits at the expense of transparency, fairness, security, and public trust.