Banking Trade Groups Urge SEC to Rescind Cybersecurity Disclosure Rules

April 23, 2026

Cybersecurity-Focused Regulation S-K Joint Trades Comment Letter

Hema Gharia Mayer Brown Free Writings + Perspectives + Follow Contact LinkedIn Facebook X ;) Embed

On April 10, 2026, five trade associations—the American Bankers Association, the Bank Policy Institute, SIFMA, the Independent Community Bankers of America, and the Institute of International Bankers—submitted a joint comment letter to the Securities and Exchange Commission in response to Chair Atkins’s request for comment on Regulation S-K.  The letter urges the SEC to rescind both Regulation S-K Item 106 and Form 8-K Item 1.05, adopted as part of the 2023 Cybersecurity Disclosure Rule, or to narrow significantly both requirements and provide explicit safe harbor protections for forward-looking cybersecurity disclosures.

The associations argue Item 106 puts outsized weight on one risk by creating a standalone, prescriptive disclosure requirement, which does not exist for any risk.  The letter notes that cybersecurity is one of many operational, legal, and strategic risks already subject to disclosure under Items 101, 103, 105, 303, and 407.  The associations also raise security concerns, arguing Item 106’s requirement to describe processes for assessing and managing cybersecurity threats compels disclosure of detail that could be exploited.  The associations also note that in practice, Item 106 has produced convergence in disclosures across registrants—similar boilerplate descriptions that fail to provide useful information yet still create security risks.

The letter includes criticism of Item 1.05, which mandates disclosure of material cybersecurity incidents within four business days of a materiality determination.  The associations identify several problems.  This compressed timeline forces public reporting while incidents are often still ongoing, diverting resources from incident response and limiting the ability to contain active threats before adversaries are alerted.  They also argue that the ability of the Attorney General to create a disclosure delay should a determination be made that disclosure would pose a substantial risk to national security or public safety is too narrow as a delay mechanism and too complex to function effectively.  Additionally, because Item 1.05 disclosures are filed rather than furnished, these carry potential liability under the Securities Act and Exchange Act, creating risk of securities class actions based on incomplete early disclosures.  The associations believe that this disclosure requirement ultimately creates an environment of premature disclosure and less decision-useful information being provided to investors.

The associations emphasize that rescinding these requirements would not leave investors unprotected.  Registrants would continue to disclose material cybersecurity risks and incidents under the existing Regulation S-K framework, additional SEC guidance, and Item 8.01 of Form 8-K, while Regulation FD would ensure that material nonpublic information is not selectively disclosed.  If rescission is not possible, the associations propose narrowing the definition of “cybersecurity incident” to align with the prudential banking agencies’ Computer-Security Incident Notification Rule, which limits reportable incidents to those resulting in “actual harm” and material disruption.  They also believe the definition of “information systems” should be narrowed and clarified to address only systems within the registrant’s control, and that the required disclosures under Item 106 should be streamlined to focus on how registrants integrate cybersecurity risk into enterprise risk management and strategy, rather than inventorying specific processes.  If neither Item 106 nor Item 1.05 is rescinded, the associations ask for explicit safe harbor protection for forward-looking cybersecurity disclosures under Section 27A of the Securities Act and Section 21E of the Exchange Act.

Cybersecurity disclosure may be heading back to what the associations describe as a “materiality-centered, principles-based framework,” and public companies and their advisers should continue to monitor this closely.  For more information, see the full letter here.

[View source.]

;) ;) Report

Latest Posts

• Cybersecurity-Focused Regulation S-K Joint Trades Comment Letter
• No-Action Letter on Bail-In Securities; Further Rulemaking to Follow
• NYSE Rule Change Enabling Trading of Tokenized Securities
• Division of Corporation Finance Issues Exemptive Order for Certain Tender Offers
• FINRA Investor Education Foundation Examines Effects of Social Media “Finfluencers” See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Mayer Brown Free Writings + Perspectives

Written by:

Mayer Brown Free Writings + Perspectives Contact + Follow Hema Gharia + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Cybersecurity + Follow Disclosure Requirements + Follow Financial Institutions + Follow Form 8-K + Follow Regulation S-K + Follow Regulatory Requirements + Follow Reporting Requirements + Follow Risk Management + Follow Safe Harbors + Follow Securities and Exchange Commission (SEC) + Follow Finance & Banking + Follow Science, Computers & Technology + Follow Securities + Follow more less

Mayer Brown Free Writings + Perspectives on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide