In a unified petition submitted to the U.S. Securities and Exchange Commission (SEC), a coalition of leading financial trade associations—including the American Bankers Association, Bank Policy Institute, Securities Industry and Financial Markets Association, Independent Community Bankers of America, and the Institute of International Bankers—has called for the rescission of Form 8-K Item 1.05.
This requirement, a cornerstone of the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule, mandates that registrants disclose material cybersecurity incidents within four business days of determining materiality.
The petition outlines a series of concerns regarding the rule’s real-world impact. When the rule was first proposed and enacted, it was met with skepticism. As the petition notes, “concerns that the SEC had exceeded its authority and expertise and that the rule was deeply flawed were raised by the dissenting commissioners, by Congress, and by businesses across multiple sectors, including the financial services industry.” The SEC, however, dismissed those concerns. Now, over a year into the rule’s implementation, industry fears have come to fruition.
A central concern is the timing of the required disclosures. Registrants have been forced to disclose cybersecurity incidents “even if [an incident] is ongoing, the company’s investigation is not complete, and the incident has not been fully remediated.” This premature disclosure, the petition argues, “has harmed registrants and at the same time failed to provide the market with meaningful or actionable information upon which to make investment decisions.”
Despite SEC efforts to provide clarity through Compliance & Disclosure Interpretations and commissioner statements, confusion persists over when and how to file under Item 1.05 versus Item 8.01. The result has been a wave of inconsistent filings, with some companies disclosing incidents before making a formal materiality determination “out of an abundance of caution.” As former SEC Division of Corporation Finance Director Erik Gerding clarified, “Item 1.05 is not a voluntary disclosure, and it is by definition material because it is not triggered until the company determines the materiality of an incident.” Even with this guidance, companies remain uncertain, leading to diluted disclosures and reduced utility for investors.
Alarmingly, the requirement has been weaponized by cybercriminals. In a 2023 incident, ransomware group AlphV reported its victim, MeridianLink, to the SEC, stating, “we want to bring to your attention a concerning issue regarding MeridianLink’s compliance with the recently adopted cybersecurity incident disclosure rules.” AlphV alleged that MeridianLink failed to disclose a breach under Item 1.05—a tactic meant to increase pressure for ransom payment. As the petition emphasizes, “this tactic not only exacerbates the financial and operational damage to the victim companies but also undermines the purpose of the disclosure rule by turning it into leverage for extortion.”
Companies that do disclose under Item 1.05 while an incident is still ongoing may attract further attacks, as threat actors view the public disclosure as evidence of vulnerability. This dynamic places companies in an impossible position: either disclose and risk further exploitation, or delay and risk regulatory scrutiny and civil litigation. “The disclosure requirements seem designed to better meet the needs of would-be hackers rather than investors’ need for financial information,” SEC Commissioner Hester Peirce warned in her dissent.
The implications extend beyond cybersecurity. The rule’s filing obligations can increase legal exposure under federal securities laws. As the petition notes, “premature filings under Item 1.05 may later be used by plaintiffs’ attorneys in securities class actions or leveraged by insurers to deny coverage.” The classification of Form 8-K as a “filing” rather than “furnished” means that registrants could face liability under Section 18 of the Exchange Act and Section 11 of the Securities Act.
This legal risk has a chilling effect on internal communications. Incident response teams and legal counsel are increasingly cautious about documenting early assessments or deliberations for fear these communications may be subpoenaed and misinterpreted. The SEC’s enforcement staff have already requested “extensive records of all communications about the incident,” raising fears of hindsight bias. Companies now hesitate to share information with peers, law enforcement, and other government agencies. As the petition explains, “we have seen this restricted information exchange during a recent, large-scale incident, where a prominent technology company declined to share detailed, technical information with industry partners,” instead pointing to its 8-K filing.
Beyond legal and operational concerns, the rule is at odds with national security objectives. Financial institutions are already subject to at least ten confidential cyber incident reporting requirements. These are designed to facilitate timely, private information-sharing with regulators and law enforcement to protect critical infrastructure. The SEC’s public disclosure mandate “complicates these efforts and shortens the time other agencies have to fully assess an incident and determine its impact prior to public disclosure.” The petition warns that the disclosure mandate may leave “little to no time to successfully act on threat indicators and defensive measures before an incident is disclosed to the world, including opportunistic threat actors.”
The limited disclosure exception—applicable only if the Attorney General determines that disclosure poses a substantial risk to national security—has proven difficult to navigate. The process is complex, fast-moving, and ill-suited for use during a rapidly unfolding cybersecurity crisis. The FBI and Department of Justice have acknowledged these shortcomings, encouraging companies to initiate the exception process even before a materiality determination is complete—placing an additional burden on cyber response teams already working to mitigate harm.
The petitioners stress that returning to a principles-based disclosure regime would better serve investors without compromising cybersecurity. “The SEC’s time-tested, established approach empowers companies to disclose information that is meaningful, reliable, and material.” Under such a framework, companies would continue to use Item 8.01 and existing disclosure rules to report cybersecurity risks and incidents deemed material, without the prescriptive, rigid deadlines of Item 1.05. Commissioner Mark Uyeda highlighted this issue, stating that the amendments “swing a hammer at the current regime and create new disclosure obligations for cybersecurity matters that do not exist for any other topic.”
Importantly, the SEC’s mission to protect investors would still be fulfilled. Since 2011, companies have been expected to consider cybersecurity risks and incidents as part of their materiality assessments for periodic disclosures. Furthermore, companies would still be subject to Regulation FD, ensuring that all investors receive material nonpublic information simultaneously.
As the petition concludes, “a return to the SEC’s longstanding principles-based approach… would offer a clearer, more consistent, and investor-useful framework.” Rescinding Item 1.05 would not eliminate transparency; rather, it would eliminate premature, speculative disclosures that expose companies to legal and operational harm while offering little value to investors.
The coalition of financial associations has made clear that they are committed to working with the SEC on a balanced framework—one that respects both national security imperatives and the investor protection mandate at the heart of the SEC’s mission.
