Banks vs. the SEC: The Battle Over Cyber Disclosure That Could Leave Investors in the Dark

America's most powerful banking trade groups are waging a quiet but consequential campaign to kill a rule that requires companies to tell the public when they've been hacked. The fight is about more than red tape — it's about who gets to know when the financial system is under attack.

The Rule in Question

The SEC's "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule" was adopted in July 2023. It requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality, including a description of the nature, scope, and timing of the incident, as well as its likely impact on the company.

The intent was straightforward: investors have a right to know when the companies they own shares in have suffered a serious breach. The reality, according to the banking industry, has been something far messier.

Who Is Fighting It — and Why

The lobbying coalition includes the American Bankers Association, the Bank Policy Institute, the Securities Industry and Financial Markets Association, the Independent Community Bankers of America, and the Institute of International Bankers. After lobbying against the rule's adoption in 2023 and requesting a 12-month extension of compliance deadlines in April 2025, they are now asking the SEC to repeal the rule outright — or at minimum, remove the specific provision requiring incident disclosure on Form 8-K.

Their core argument is that public disclosure does more harm than good. In a petition to the SEC, the groups stated that the rule puts companies that fall victim to cyberattacks at greater risk and undermines the SEC's primary goal of protecting investors, imposing "additional risks, cost and complexity on SEC registrants" while "failing to generate the type of decision-useful information" that would advance investor protection.

The banks also argue that the rule could apply additional pressure during ransomware attacks, as attackers could point to unfulfilled disclosure deadlines as leverage for extortion.

The Transparency Paradox

Here is where the argument gets complicated — and, critics say, contradictory.

The same five trade groups fighting to eliminate public disclosure are simultaneously lobbying to preserve a separate, confidential threat-sharing law that allows banks to share cyberattack information privately with government regulators. Their position is that private sharing is sufficient; public disclosure is dangerous.

The petition spells out how banks square these two positions: confidential reporting to bank regulators already gives the government what it needs, without showing the public — and therefore attackers — that a company is wounded. In practice, scrapping the rule would leave that confidential notice to regulators as a breached bank's main reporting duty. Regulators would still learn of a material hack in a timely manner; investors would not.

Critics are unconvinced. Mark Dalton of the R Street Institute — whose organization backed mandatory incident reporting — argues that calling a public filing a road map for attackers "is a stretch," and that the trade groups treat sharing and disclosure "as substitutes for one another when they're complementary."

The Political Moment

The banks may be pushing against an open door. Republicans took a 2-1 majority at the SEC in January 2025, and a commissioner who dissented from the original cybersecurity disclosure rule is now in the majority. With SEC Chair Paul Atkins — President Trump's nominee — now at the helm and actively reviewing the rule, the political conditions for a rollback are more favorable than they have ever been. 

This is not happening in a vacuum. The Trump administration has signaled a broader appetite for deregulation across financial and technology sectors, and cybersecurity disclosure has become a flashpoint in a wider debate about how much transparency the government can — or should — mandate from private companies about their digital vulnerabilities.

What Enforcement Has Actually Looked Like

Proponents of the rule point out that it has already produced meaningful accountability. Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents. In July 2024, business communications provider RRD settled with the SEC for $2.1 million related to a 2021 cyberattack, with the SEC citing inadequate monitoring resources and deficient disclosure controls. 

In December 2024, the SEC settled with Flagstar Bank for filing a misleading Form 8-K — the bank had stated it found "no evidence of unauthorized access to customer information" one day after learning that attackers had actually exfiltrated sensitive customer data including names, addresses, social security numbers, and account details. 

That case alone illustrates exactly what disclosure rules are designed to prevent: a company knowing it has been breached and telling the public otherwise.

The Deeper Question: Who Is the Disclosure For?

The banking industry's campaign frames this as a security issue. But the debate is ultimately about a much older question in financial regulation: who has the right to information about the institutions managing their money?

The Department of Homeland Security identified 45 different federal cyber incident reporting requirements administered by 22 federal agencies — a legitimate complexity argument. But complexity does not necessarily justify secrecy. The banks are not arguing they should report less to anyone; they are arguing they should report less to the public. 

For ordinary investors, pension funds, and anyone with exposure to financial institutions, that distinction matters enormously. A bank that has suffered a material cyberattack is a bank that may face regulatory penalties, litigation costs, reputational damage, and operational disruption. All of those are material to investors — and all of them would be hidden if the disclosure rule is rescinded.

What Comes Next

The SEC under Chair Atkins is under no obligation to act swiftly, but the political winds are clearly at the banks' backs. A rollback of the incident disclosure requirement — whether through formal rulemaking, guidance, or simply declining to enforce — would represent one of the most significant retreats from corporate cybersecurity transparency in the SEC's history.

What the banking industry calls protecting wounded companies, critics call protecting companies from accountability. What the industry calls a road map for attackers, transparency advocates call a basic right for anyone with money on the line.

The outcome of this fight will define not just how America's banks report cyberattacks — but what the public is allowed to know when the institutions holding their savings come under fire.