Mondo Visione Worldwide Financial Markets Intelligence
Track all markets on TradingView

FTSE Mondo Visione Exchanges Index:

CCData-468x60x2.jpg BT_Radianz_468x60_Jul23 FEAS 30th Anniversary Conference

SEC Cyber Disclosure Rule Endangers Victims And Fails To Advance Investor Protections

Date 22/05/2025

A coalition of trade associations, including Bank Policy Institute, American Bankers Association, Independent Community Bankers of America, Institute of International Bankers and Securities Industry and Financial Markets Association, reiterated calls today for the Securities and Exchange Commission to rescind its cyber incident disclosure rule. In a petition to the SEC, the groups state that the rule puts companies that fall victim to cyberattacks at greater risk and undermines the SEC’s primary goal of protecting investors.

“These requirements impose additional risks, cost and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” the associations wrote.

 Key Concerns Raised by the Associations:

  • Exposes Victims to Further Harm: The rule requires public companies to prematurely disclose cyber incidents – such as a data breach or cyberattack – even if the vulnerability is unremediated and ongoing. This could further harm the victims and lead to additional attacks.
  • Gives Ransomware Criminals a Tool for Extortion: Ransomware groups use this rule to extort victims for additional financial gain. For example, ransomware group AlphV took the unprecedented step of reporting its own victim, MeridianLink, to the SEC after the rule was enacted as a ransom payment extortion tactic.
  • Strains National Security and Law Enforcement Resources: The pathway for obtaining a law enforcement exemption is narrow and complex. This case-by-case determination, which relies on preliminary and incomplete information, diverts critical resources away from more pressing national security and law enforcement matters.
  • Creates Market Confusion: Companies face significant uncertainty in distinguishing between what constitutes a required disclosure and what can or should remain confidential. The SEC has repeatedly attempted to resolve these concerns, which has created an even more complex patchwork of unclear compliance expectations.
  • Chills Internal Communication: Given the threat that the SEC could investigate a disclosure decision, employees may hesitate to report or discuss cyber risks internally for fear that their communications may be misconstrued as bearing on materiality or create litigation risk.

What’s the Background?

The SEC adopted its “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule” on July 26, 2023. This rule requires public companies to disclose material cyber incidents within four business days, adding to an already complex list of reporting and disclosure obligations that financial institutions and other critical infrastructure sector companies must follow. The Department of Homeland Security issued a report in 2023 identifying 45 different federal cyber incident reporting requirements, administered by 22 federal agencies.

To access a copy of the letter, please click here.

MV 120 X 600 Hard to Reach BT_Radianz_120x600_Jul23.jpg FEAS_2025_MondioVisione_120x600-banner