Major U.S. banking groups are calling on the Securities and Exchange Commission (SEC) to cancel a rule that forces companies to tell the public about cyberattacks within four days. They believe the regulation is causing more harm than good.
It is called the Cybersecurity Risk Management Rule, was introduced by the SEC in July 2023. The public companies have to file a report (called Form 8-K or Form 6-K) in the span of four days of a bigger cybersecurity event. This may involve data breaches, ransomware attacks, or hacks on customers or business operations.
The aim was to inform investors and maintain market transparency.
Five leading banking associations, among them the American Bankers Association and the Securities Industry and Financial Markets Association, wrote a letter to the SEC on May 22. They requested that the agency drop "Item 1.05," the component of the regulation dealing with cyberattack disclosures.
They say it clashes with other federal requirements that protect critical infrastructure. According to the banks, it also:
Hurts law enforcement efforts by forcing companies to speak before full investigations
Causes confusion about what must be disclosed and what is optional
Can be used by hackers to pressure companies into paying ransoms
Makes it harder for companies to talk freely inside their teams during a crisis
Raises insurance costs and legal risks
The letter argues that the old system, where companies report important risks under existing rules, works better. “Investor interests will still be protected,” the groups said, even without Item 1.05.
Publicly traded crypto organisations, like Coinbase, have already felt the heat from this regulation. Earlier this month, Coinbase had to disclose that hackers bribed one of its staff members to leak user data. The company refused a $20 million ransom, but ended up with at least seven lawsuits and could face up to $400 million in damages.
Crypto firms argue that early disclosure can backfire. It alerts the public (and attackers) before full damage control is done and leads to costly lawsuits.
The SEC believes the regulation protects investors by making sure they know about major cyber risks right away. In theory, this stops organisations from hiding data breaches that could impact stock prices or customer trust.
But banks and crypto firms say the quick deadline forces rushed decisions, poor communication, and opens doors for attackers to use the publicity as leverage.
If the SEC drops the requirement, companies will go back to using their judgment on when a breach is “material” enough to report. This provides corporates with additional time to carefully react and cooperate with the police.
But it could also signify that the public, including investors, might not be told about attacks until later, perhaps not at all. It could affect trust, transparency, and even share prices.
The SEC has not yet indicated whether it will modify the rule. But this increasing pushback from banks and cryptocurrency organisations indicates the tightrope regulators walk: safeguarding the public without assisting the hackers.
Also read: CEX.IO Power Tap Daily Quiz Answer Today 26 May 2025: Win Big!
Muskan Sharma is a crypto journalist with 2 years of experience in industry research, finance analysis, and content creation. Skilled in crafting insightful blogs, news articles, and SEO-optimized content. Passionate about delivering accurate, engaging, and timely insights into the evolving crypto landscape. As a crypto journalist at Coin Gabbar, I research and analyze market trends, write news articles, create SEO-optimized content, and deliver accurate, engaging insights on cryptocurrency developments, regulations, and emerging technologies.
Copyright © 2025 Coin Gabbar. All Rights Reserved.
