Adopted in July 2023, the US Securities and Exchange Commission (SEC)’s cybersecurity disclosure rules require public companies to report material cybersecurity incidents on Form 8-K and to annually report on their cybersecurity risk management and governance.

However, recent developments – including SEC Chair Paul S. Atkins’s appointment in April 2025, the emergence of a Republican-appointed majority in the Commission, and ongoing efforts to rescind the rules – have contributed to uncertainty surrounding their future.

Background of the cybersecurity disclosure rules

As discussed in this DLA Piper alert, the 2023 cybersecurity disclosure rules received mixed reception at both the proposal and adoption stages.

At the time of adoption, the two Republican-appointed commissioners, Hester Peirce and Mark Uyeda, voiced their opposition, with Commissioner Peirce releasing a statement arguing, among other things, that the cybersecurity rules:

  • Exceeded the SEC’s authority because they were not tied to financial materiality
  • Were outside the SEC’s expertise
  • Failed to take into account other cyber disclosure laws
  • Offered too narrow of an exception for law enforcement concerns
  • Would increase compliance costs for companies
  • Would require disclosure that could benefit cyber criminals, and
  • Could lead to vague and misleading disclosures.

Similarly, Commissioner Mark Uyeda, in his own statement, contended:

Cybersecurity is one of numerous risks and issues that companies must address from financial, operational, governance, and other perspectives. The [SEC]’s disclosure rules should not elevate cybersecurity above these other risks and issues, some of which may be more material to investors.

Commissioner Uyeda noted that the rules would require companies to make forward-looking disclosures regarding a cybersecurity incident’s material impact, which would need to be continually assessed for additional impacts and potential amendments to Form 8-K, if new information arose after the initial disclosure. He pointed out that other required disclosure events, such as a merger, do not need to be constantly assessed.

In November 2023, Representative Andrew Garbarino and Senator Thom Tillis introduced a resolution of disapproval under the Congressional Review Act, in an effort to rescind the rules – however, the resolution failed to pass.

Recent efforts to rescind the rules

Since former SEC Chairman Gary Gensler stepped down in January 2025 and the Commission shifted to a Republican majority, efforts to rescind the cybersecurity rules have intensified.

In March 2025, the Republican members of the House Financial Services Committee issued a letter to then-Acting Chairman Uyeda, urging the SEC to withdraw several proposed and adopted rules, including the cybersecurity rules. That same month, at a hearing of the US House Committee on Homeland Security Subcommittee on Cybersecurity and Infrastructure, several lawmakers expressed dissatisfaction with the cybersecurity rules, citing their ambiguity and restrictive reporting timelines.

Most recently, on May 22, 2025, a group of banking associations, including the American Bankers Association, Bank Policy Institute, Independent Community Bankers of America, Securities Industry and Financial Markets Association, and Institute of International Bankers, petitioned the SEC to rescind the rule requiring companies to disclose cyber incidents under Item 1.05 of Form 8-K within four business days of a determination of materiality. The petition outlined concerns that align with those previously expressed by Commissioners Peirce and Uyeda.

In seeking recission of Item 1.05 disclosure, the petition letter cited key issues alleging that:

  • Publicly disclosing cybersecurity incidents directly conflicts with confidential reporting requirements intended to protect critical infrastructure and warn potential victims, thereby compromising coordinated regulatory efforts to enhance national cybersecurity.
  • The complex and narrow disclosure delay mechanism interferes with incident response and law enforcement investigations.
  • The rule has created market confusion and uncertainty as companies struggle to distinguish between mandatory and voluntary disclosures.
  • Resulting disclosures have been weaponized as an extortion method by ransomware criminals to further malicious objectives and may subject disclosing companies to additional cybersecurity threats.
  • Insurance and liability implications of premature disclosures can exacerbate financial and operational harm to companies.
  • The rule risks chilling candid internal communications and routine information sharing.  

The petitioning organizations urged the SEC to return to a more principles-based disclosure regime, through which companies would consider the materiality of cybersecurity risks and incidents in determining whether disclosure was appropriate.

Going forward

It is unclear what actions the SEC will take in response to the petition and related criticism. Among possible approaches, the Commission could opt to modify or rescind some or all of the rules under the Administrative Procedure Act (APA). The APA would require the SEC to issue a proposal, solicit public comment, and provide a reasoned explanation for any such change. A shift in policy could serve as a valid rationale, provided the SEC addresses prior factual findings that supported the original rules.

It is worth noting that, in February 2025, the SEC announced the creation of the Cyber and Emerging Technologies Unit (CETU) to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space.

In the meantime, companies are encouraged to establish and maintain controls and procedures that will allow them to identify, assess, and report cybersecurity incidents. They are also encouraged to fully and accurately describe their cybersecurity risk management and governance procedures in their SEC filings, as applicable.

For more information, please contact the authors.