ICBA and other groups called on the Securities and Exchange Commission to rescind its cybersecurity risk management governance and incident disclosure requirements.
Details: In a joint letter responding to the SEC’s request for comments on Reforming Regulation S-K, the groups said:
-
The regulations single out cybersecurity as a standalone disclosure topic above all other risk types, which is inconsistent with the commission's longstanding principles and disproportionately burdens community banks.
-
Prescriptive disclosure requirements create security risks by publishing operational details that can serve as a roadmap for threat actors.
-
The regulations conflict with the recently released Cyber Strategy for America, which calls for streamlining cyber regulations and reducing compliance burdens.
Background: The SEC in July 2023 adopted the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule, which requires public companies to disclose material cyber incidents within four business days.
Previous Letters: The joint letter builds on the groups’ May 2025 and May 2022 letters opposing the SEC’s cyber incident disclosure rule.