ABA and the other associations said that the rule puts companies that fall victim to cyberattacks at greater risk. The law was adopted in 2024 and requires businesses to publicly disclose a data breach or other cyber attack within four business days of determining whether the incident is material. The exception to this rule applies when the Justice Department determines that the publishing of the cyberattack would threaten national security and public safety.
In their letter, the associations raised concerns regarding the rule requiring public companies to prematurely disclose cyber incidents, even when their vulnerability is ongoing and unresolved. ABA and the other organisations mentioned that a situation like this could offer criminals another tool for extortion, with at least one ransomware group reporting its own victim to the SEC. They also believe that this strains national security and law enforcement resources, creating market confusion and limiting international communication, as employees fear creating litigation risk.
The association mentioned that the requirements impose additional risks, costs, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, and to generate the type of decision-useful information which would advance the SEC’s mission to protect investors. Registrants were and will be forced to publicly disclose an incident even if it is ongoing, the company’s investigation is not complete, and the incident is not fully remediated.
The letter also mentions that the rule is unhelpful to investors, as the premature disclosure harms registrants and fails to provide the market with meaningful or actionable information. The rule has been met with confusion about whether to file under Item 1.05, 8.01 or neither. The SEC’s attempts to clarify had not changed the situation.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now