Financial Giants Challenge SEC’s Cyber Disclosure Mandate

Five leading financial industry groups, including the American Bankers Association and the Securities Industry and Financial Markets Association , have formally urged the U.S. Securities and Exchange Commission to revoke its rule mandating public companies to disclose material cybersecurity incidents within four business days. The coalition contends that the regulation compromises ongoing investigations, exposes sensitive information, and may inadvertently aid cybercriminals.

The SEC’s rule, adopted in July 2023, requires companies to report significant cyber incidents promptly, unless disclosure poses a substantial risk to national security or public safety. The financial groups argue that this timeline is insufficient for thorough internal assessments and coordination with law enforcement, potentially leading to premature disclosures that could hinder response efforts and mislead investors.

A recent cyberattack on Coinbase, a major cryptocurrency exchange, underscores the concerns raised by these financial entities. Hackers infiltrated Coinbase’s systems by bribing third-party customer service agents, obtaining personal data of approximately 97,000 users. The attackers demanded a $20 million ransom, which Coinbase refused to pay, opting instead to offer a $20 million reward for information leading to their arrest. The breach is expected to cost Coinbase between $180 million and $400 million in remediation and customer reimbursements.

The financial groups emphasize that mandatory rapid disclosure could alert other malicious actors to vulnerabilities before companies have secured their systems. They advocate for a more flexible approach that allows organizations to manage incidents effectively without the pressure of an inflexible reporting deadline.

The SEC maintains that timely disclosure of cyber incidents is crucial for investor protection and market integrity. However, the financial industry coalition insists that the current rule may do more harm than good, potentially exacerbating the very risks it aims to mitigate.