Faced with a new disclosure rule imposed by the US financial watchdog, major banking institutions are raising their voices. They are calling for the outright withdrawal of this requirement, deemed too restrictive and risky in a context of growing cyber threats.
A controversial rule
- Mandatory disclosure within 4 days: The rule in question requires listed companies to make certain "significant" cyberattacks public within a maximum of four days, a requirement that banks consider unrealistic in an emergency situation.
- Fear of exposing vulnerabilities: Banking groups believe this requirement could force the disclosure of critical flaws before they are even fixed, which could exacerbate risks to financial systems.
Arguments focused on security
- Impact on ongoing investigations: The rapid disclosure requirement could disrupt internal and law enforcement investigative efforts by disclosing strategic information to malicious actors.
- Proposal for adjustment or repeal: Bank representatives advocate a more flexible approach, or the outright elimination of the rule. They call for a dialogue with the SEC to strike a balance between transparency and operational security.
Opportunities and risks
Opportunities:
- Rethink regulation to better reflect the technical and operational realities of the financial sector
- Strengthen cooperation between regulators and critical industries
Risks:
- Loss of public trust if major incidents are concealed
- Legal risk for companies if the rule is maintained and poorly enforced
Conclusion
The standoff between banking groups and the SEC reveals the persistent tensions between the need for transparency and security imperatives. As cyberattacks become more complex, regulation will need to evolve to protect both investors and the infrastructure itself.
