American banking and financial industry advocacy groups have petitioned the Securities and Exchange Commission to repeal its cybersecurity incident public disclosure requirements. 

Five US banking groups led by the American Bankers Association asked the regulator to remove its rule in a May 22 letter, arguing that disclosing cybersecurity incidents “directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims.”

The group, which also included the Securities Industry and Financial Markets Association, the Bank Policy Institute, Independent Community Bankers of America and the Institute of International Bankers, claimed that the rule compromises regulatory efforts to enhance national cybersecurity.

The SEC’s Cybersecurity Risk Management rule, published in July 2023, requires companies to rapidly disclose cybersecurity incidents such as data breaches or hacks. However, the banking groups argue this rule was flawed from the start and has proven problematic in practice since taking effect.

The banking bodies said that the “complex and narrow disclosure delay mechanism” interferes with incident response and law enforcement and creates “market confusion” between mandatory and voluntary disclosures. 

Public disclosure has also been “weaponized as an extortion method by ransomware criminals to further malicious objectives,” and premature disclosures worsen insurance and liability issues for companies and “risks chilling candid internal communications and routine information sharing,” the group claimed. 

The groups specifically want “Item 1.05” to be rescinded from the SEC’s rules for Form 8-K reporting and parallel reporting requirements applicable to Form 6-K. 

Form 8-K is used to publicly notify investors in US public companies of specified events, including cybersecurity incidents, that may be important to shareholders or the SEC. 

“Critically, without Item 1.05, investor interests will still be protected, and we believe they would be better served through the pre-existing disclosure framework for reporting material information, which may include material cybersecurity incidents,” the groups stated.

Related: Hackers using fake Ledger Live app to steal seed phrases and drain crypto

The full petition included examples of confusion from participants, specific incidents of ransomware attacks and documented regulatory conflicts. 

Public crypto companies impacted 

The requirement also impacts publicly listed crypto companies such as Coinbase, which disclosed earlier this month that hackers had bribed its support staff to leak its user data.

The disclosure saw the company hit with at least seven lawsuits over the disclosure.

Coinbase said that it rejected a $20 million ransom demand after staff leaked user data in a major phishing attack, which the exchange said could cost it up to $400 million in damages.

If the SEC rescinds the requirement, it may give firms such as Coinbase more time to disclose cybersecurity incidents to the public. 

Magazine: Bitcoin bears eye $69K, CZ denies WLF ‘fixer’ rumors: Hodler’s Digest