Banks Comment on Reforms to SEC’s Regulation S-K

Dear Ms. Countryman,

The American Bankers Association,^[1] Bank Policy Institute,^[2] Securities Industry and Financial Markets Association,^[3] Independent Community Bankers of America,^[4] and Institute of International Bankers^[5] appreciate the opportunity to provide comments in response to Chair Atkins's request for public input on reforming Regulation S-K. Our members are subject to extensive cybersecurity oversight and incident-reporting regimes administered by prudential regulators and federal agencies, in addition to the public disclosure requirements of the Commission's Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule.^[6] This letter focuses on Item 106 of Regulation S-K and the related cybersecurity incident disclosure mandate on Form 8-K, Item 1.05.^[7]

We welcome the Commission's comprehensive review of Regulation S-K and its effort to restore a materiality-centered, principles-based disclosure framework whereby companies assess disclosure obligations based on longstanding materiality standards. As noted in the recently released Cyber Strategy for America, cyber regulations should be streamlined to "reduce compliance burdens, address liability, and better align regulators and industry globally."^[8] As part of the Commission's review, we urge the Commission to rescind Item 106.

We believe Item 106 places outsized weight on one risk type and requires disclosure of operational details inconsistent with a principles-based framework. Rescission of Item 106 would streamline disclosure and "eliminat[e] both the burdensome and the impractical," in alignment with Chair Atkins's strategy for the Commission's regulatory frameworks.^[9] In the event the Commission does not rescind Item 106, we recommend that the Commission narrow and refocus Item 106 so that it elicits concise, decision-useful and materiality-centered information about cybersecurity risks and risk management, without burying investors in immaterial detail. In addition, as part of the Commission's review, we urge the Commission to rescind Form 8-K, Item 1.05. We believe that the pre-existing principles-based disclosure framework (including Form 8-K, Item 8.01 and periodic reporting requirements) adequately addresses disclosure of material cybersecurity incidents, as described in the joint petition for rulemaking submitted by our organizations last year.^[10]

I. The Commission Should Rescind Item 106

In 2022, our associations explained that the proposed cybersecurity rules raised serious policy and practical concerns, including the following: (1) the risk that bespoke, topic-specific line items for cybersecurity incidents would privilege one type of risk over others in a way that is inconsistent with the Commission's longstanding, principles-based regime^[11] and (2) security risks from prescriptive disclosures about cybersecurity. Although the Commission acknowledged many of the comments it received in the final rule, it did not resolve several issues with Item 106's requirements, including the concerns raised by our associations. These issues now warrant reconsideration in the context of Regulation S-K reform, particularly as compliance with Item 106's disclosure requirements has negatively impacted the members of our associations. For example, our member financial services firms devote significant attention and resources away from other important priorities to complying with Item 106's detailed disclosure requirements-leaving less time for other strategic security initiatives to fortify firm defenses. At the same time, the growing patchwork of overlapping cybersecurity rulemakings across federal agencies and state regimes further risks the diversion of finite resources away from proactive threat detection and toward prescriptive compliance exercises. Smaller and mid-sized financial services firms, in particular, find compliance challenging given their more limited resources.

To read the full comment letter, please click here, or click on the download button below.

[1] The American Bankers Association is the voice of the nation's $25.3 trillion banking industry, which is composed of small, regional, and large banks that together employ over 2 million people, safeguard $20.1 trillion in deposits, and extend $13.5 trillion in loans.

[2] The Bank Policy Institute ("BPI") is a nonpartisan public policy, research, and advocacy group that represents universal banks, regional banks, and the major foreign banks doing business in the United States. BPI produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues. Business, Innovation, Technology and Security, BPI's technology policy division, provides an executive-level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the financial sector.

[3] The Securities Industry and Financial Markets Association ("SIFMA") is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. On behalf of our industry's nearly one million employees, we advocate on legislation, regulation, and business policy affecting retail and institutional investors, equity and fixed income markets, and related products and services. We serve as an industry-coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency. We also provide a forum for industry policy and professional development. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association.

[4] The Independent Community Bankers of America® has one mission: to create and promote an environment where community banks flourish. We power the potential of the nation's community banks through effective advocacy, education, and innovation. As local and trusted sources of credit, America's community banks leverage their relationship-based business model and innovative offerings to channel deposits into the neighborhoods they serve, creating jobs, fostering economic prosperity, and fueling their customers' financial goals and dreams.

[5] The Institute of International Bankers ("IIB") represents the U.S. operations of internationally headquartered financial institutions from more than 35 countries around the world. The membership consists principally of international banks that operate branches, agencies, bank subsidiaries, and broker-dealer subsidiaries in the United States. The IIB works to ensure a level playing field for these institutions, which are an important source of credit for U.S. borrowers and comprise the majority of U.S. primary dealers. These institutions also enhance the depth and liquidity of U.S. financial markets and contribute significantly to the U.S. economy through direct employment of U.S. citizens, as well as through other operating and capital expenditures.

[6] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, 88 Fed. Reg. 51896, 51945 (Aug. 4, 2023) [hereinafter the "Cybersecurity Disclosure Rule"].

[7] The recommendations in this letter should apply equally to foreign private issuers ("FPIs"). FPIs are subject to cybersecurity governance and risk management disclosure requirements through Form 20-F Item 16K, which incorporates the substance of Regulation S-K Item 106. Similarly, FPIs are required to furnish on Form 6-K material cybersecurity incident disclosures, similar to the disclosure mandated by Form 8-K, Item 1.05. Any actions taken by the Commission to implement the recommendations herein should therefore be reflected in the parallel disclosure requirements in Form 20-F Item 16K and Form 6-K.

[8] The White House, President Trump's Cyber Strategy for America (Mar. 6, 2026), https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf.

[9] Chair Paul S. Atkins, U.S. Sec. & Exch. Comm'n, Prepared Remarks Before SEC Speaks (Mar. 19, 2026), https://www.sec.gov/newsroom/speeches-statements/atkins-remarks-sec-speaks-031926-prepared-remarks-sec-speaks.

[10] American Bankers Assoc., Bank Policy Institute, Securities Industry and Financial Markets Assoc., Indep. Cmty. Bankers of America, and Inst. of Int'l Bankers, Petition for Rulemaking on the Cybersecurity Rick Management, Strategy, Governance, and Incident Disclosure Rule (May 22, 2025), https://bpi.com/wp-content/uploads/2025/05/Joint-Financial-Trades-Final-Petition-for-Rulemaking-on-Cybersecurity-Risk-Management-Strategy-Governance-and-Incident-Disclosure-Rule_.pdf [hereinafter Petition for Rulemaking].