In late May 2025, the Securities Industry and Financial Markets Association (SIFMA), together with the American Bankers Association, Bank Policy Institute, Independent Community Bankers of America, and Institute of International Bankers submitted a petition to the Securities and Exchange Commission (SEC) requesting rulemaking to amend its Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule in order to rescind the disclosures mandated thereunder in Item 1.05 of Form 8-K and the corresponding Form 6-K requirements.
The SEC adopted Item 1.05 of Form 8-K on July 26, 2023, which mandated, in part, that public companies disclose a cybersecurity incident that is deemed to be material. Disclosures must include the material aspects of the nature, scope and timing of the cybersecurity incident and any reasonably likely material impact on the company or its financial condition or results of operations.
In the letter, the trade associations request recission of the rule in full due to the fact that, in their view, the rule mandates premature disclosures and has created significant confusion among reporting companies despite attempts at clarification by the SEC through Compliance and Disclosure Interpretations and the comment process. The petition focuses on the following objections to the continued existence of Item 1.05, noting that the rule (i) conflicts with confidential incident reporting requirements applicable to certain reporting entities (e.g., the Department of Homeland Security, Ginnie Mae, etc.), (ii) provides for complex and overly narrow disclosure exceptions, (iii) results in over-reporting in a manner that dilutes materiality and reduces disclosure utility, (iv) is weaponized by ransomware makers and other cybercriminals, (v) has negative implications for insurance and liability, and (vi) has a chilling effect on internal communications and external information sharing.
In place of Item 1.05, the petitioners call for reinstatement of the cybersecurity incident reporting regime in place prior to 2023, where risks relating to such events were treated similarly to other material financial, operational and governance risks by inclusion in registration statements, periodic reports, and current reports upon context-specific determinations made by the registrant. The SEC does not have to respond to the petition, but given interest expressed by new Chair Atkins, it is possible that rollbacks of this and other Gensler-era rules may come to pass. The full text of the petition is available here.
[View source.]
