Banks Fight to Scrap an SEC Cyberattack Rule

The banking industry’s coordinated push against the SEC’s 2023 cyber‑incident disclosure rule reflects a broader tension between rapid threat intelligence sharing and market transparency. By championing the confidential framework of the Cybersecurity Information Sharing Act (CISA) of 2015, the trade groups argue that regulators and law‑enforcement agencies receive the technical details needed to mitigate attacks without broadcasting vulnerabilities to hostile actors. Their lobbying coincides with a congressional extension of CISA through September 2026, giving the banks a legislative foothold while they press the SEC for regulatory relief.

Critics, including the R Street Institute, contend that the rule’s limited scope—requiring only a high‑level notice of a material incident—does not provide attackers with actionable details. Yet banking officials warn that even a terse public filing creates a searchable signal that AI‑driven reconnaissance tools can exploit at scale, turning disclosures into a “zero‑day” catalyst. The argument gains traction as AI accelerates phishing and reconnaissance, prompting banks to treat public reporting as a strategic liability rather than a compliance checkbox.

If the SEC, guided by Chair Paul Atkins and a now‑Republican‑majority commission, decides to rescind the rule, investors will lose a key data point for assessing cyber‑risk exposure, potentially obscuring price‑discovery mechanisms. Conversely, maintaining the rule could compel banks to balance swift, confidential regulator notifications with the broader market’s right to know. The outcome will shape not only banking disclosure practices but also set a precedent for how other sectors navigate the trade‑off between cybersecurity resilience and investor transparency.