Dive Brief:

• A coalition of banking industry groups has asked the Securities and Exchange Commission to rescind a controversial Biden-era cybersecurity breach notification rule.
• At issue is the SEC’s rule mandating that public companies disclose “material” breaches within four days of a materiality determination. The requirement has exposed organizations to potential liability risks and other challenges, “while also failing to generate the type of decision-useful information which would advance the SEC’s mission to protect investors,” according to a petition filed last month by the Securities Industry and Financial Markets Association, the American Bankers Association, the Bank Policy Institute, the Institute of International Bankers, and Independent Community Bankers of America.
• “Mandating the public disclosure of a cybersecurity incident before it is fully investigated or remediated creates significant and potentially costly legal exposure for registrants, particularly by mandating disclosure based on preliminary information, including in some cases information available only from third parties, that may unintentionally be incomplete or inaccurate, and therefore may inadvertently misinform investors and fuel market volatility,” the groups wrote.

Dive Insight:

The push comes as SEC Chairman Paul Atkins, a Republican appointed by President Donald Trump, is taking on his new responsibilities after his April 21 swearing in.

“This was an opportunity for us to clearly articulate our longstanding concerns with the rule,” Patrick Warren, vice president of regulatory technology for BITS, the technology policy division of the Bank Policy Institute, said in an interview. “We hope that the SEC will take action to rescind this rule’s premature disclosure requirements, which undermine the resiliency of the U.S. financial system.”

A spokesperson for the SEC declined to comment on the letter.

Atkins can be expected to avoid regulation that he perceives as unnecessarily burdensome on business, according to an April analysis by attorneys at law firm Proskauer Rose. However, he has signaled that he would back regulation that he believes “appropriately balances effectiveness and costs,” the firm’s report states.

In March, Republicans on the House Financial Services Committee wrote then-SEC Acting Chairman Mark Uyeda urging the agency to withdraw the cybersecurity breach reporting rule, one of several financial regulations instituted under the Biden administration.

“Under this new leadership, the SEC can reaffirm its statutory mandate by revisiting several final rules promulgated by the previous administration,” the lawmakers said. “These rules have made the U.S. capital markets less attractive to existing and potential public companies.”

The breach notification rule was included in a broader package of cybersecurity mandates adopted in the summer of 2023 on a party-line 3-2 vote, with Republicans dissenting.

Under the rule, public companies must determine the materiality of a breach “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination,” according to a fact sheet.

Since the rule’s implementation, companies have “struggled to navigate the boundary between mandatory and voluntary disclosure of cybersecurity incidents, leading to uncertainty and signal dilution,” according to the industry coalition’s letter.

A May 2024 statement from Erik Gerding, then-director of the SEC’s Division of Corporation Finance, clarified that the breach reporting rule was not intended to sweep in immaterial incidents. If a company chooses to disclose a breach for which it has not yet made a materiality determination, or one that was determined to not be material, the Division of Corporation Finance encourages the company to disclose that incident under a different item of Form 8-K, such as Item 8.01, Gerding said at the time.

But confusion has persisted despite the clarification, the banking industry groups said in their letter. As one example, they cited correspondence between AT&T and agency staff over a July 2024 8-K filing by the telecommunications company.

“Overall, of the 32 companies that have filed under Item 1.05, only nine identified a material impact in their initial disclosures, and just two more did so in amended filings,” the petition said. “Rather than providing clarity, the inconsistent use of Items 1.05 and 8.01, and Item 1.05’s requirement to speculate regarding future material impacts, injects uncertainty into the market and undermines the objective of standardized, decision-useful disclosure.”

A premature filing under Item 1.05 may later be used by plaintiffs’ attorneys in securities class actions or leveraged by insurers to deny coverage on grounds that the risk was “known” or inadequately mitigated, the groups said. It may also expose companies to costly litigation, including under Section 18 of the Securities Exchange Act of 1934, which creates liability for false or misleading statements, they said.

As a result of such risks, the rule is having a chilling effect on the cybersecurity incident-related information companies share externally to private and public sector stakeholders, the letter said. Further complicating matters, the rule also conflicts with other breach reporting requirements imposed on financial organizations, it said.