Cybersecurity risks are constant and, if anything, escalating. Yet rules for incident reporting, prioritized by regulators and largely endorsed in the private sector, remain contentious in their application.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was the subject of a series of virtual town halls in March and April as the Cybersecurity and Infrastructure Security Agency (CISA), part of the U.S. Department of Homeland Security, sought to explain (or sell) impending compliance requirements to covered industries.
The objective is to “rapidly share actionable information to protect others,” CISA’s Nick Andersen said in announcing the programs. “Stakeholder input is critical as we finalize this rule to strengthen our collective defense. CISA is committed to delivering a framework that appropriately balances its impact on improving our nation’s cybersecurity posture with avoiding unnecessary burden to entities in critical infrastructures.”
Acting CISA Director Nick Andersen
The financial industry and registered corporations have already been – and are still going – down that road, dealing with a 2023 Securities and Exchange Commission rule calling for disclosure of incidents of a material nature within four business days.
Todd Klessman, who formerly led CISA’s CIRCIA rulemaking effort, is not convinced that town halls are the most effective method of marketplace engagement, though he says it is better than none. And he stresses the importance of incident reporting and intelligence sharing done right.
Since January, Klessman is managing director, Financial Services Cyber & Technology, at the Securities Industry and Financial Markets Association (SIFMA). Allied with peer trade groups including the American Bankers Association and Bank Policy Institute in a long-running cyber-related regulatory dialogue, and with Klessman as a signatory, SIFMA joined in a 15-page comment letter to the SEC on April 10 regarding “Regulation S-K Item 106 and Cybersecurity Disclosure.”
Citing concerns from early in the rulemaking process that went unaddressed, the associations claimed that “Item 106 places outsized weight on one risk type and requires disclosure of operational details inconsistent with a principles-based framework. Rescission of Item 106 would streamline disclosure and ‘eliminat[e] both the burdensome and the impractical’” and better align with SEC Chair Paul Atkins’ “strategy for the commission’s regulatory frameworks.”
If the provision is not rescinded, “we recommend that the commission narrow and refocus Item 106 so that it elicits concise, decision-useful and materiality-centered information about cybersecurity risks and risk management, without burying investors in immaterial detail.”
Organizations face fragmentation and inconsistencies in reporting requirements, observes Aaron Pinnick, senior manager of thought leadership for ACA Group’s Aponix and ESG programs. While public companies have the four-day SEC rule for reporting once an incident is deemed material, a proposed cybersecurity rule for registered investment advisers and broker-dealers was withdrawn in June 2025.
That doesn’t relieve cybersecurity vulnerabilities, and these firms may still be subject to state laws – the New York Department of Financial Services, for example, has a 72-hour reporting timeline – or foreign jurisdictions.
Aaron Pinnick of ACA Group
“Regulations will vary in the type of information that must be reported, when notification must occur, and the severity or impact of incidents that must be reported,” Pinnick points out.
Under SEC Regulation S-P as amended, investment advisers, investment companies and others have to notify customers of unauthorized access or use of their sensitive information within 30 days. S-P “does not create an obligation to report these incidents to the SEC, though the SEC will likely ask about these incidents during examinations,” Pinnick adds.
The benefit of CIRCIA standards “is simple – it forces boards to care,” says Nick Mo, co-founder and CEO of Ridge Security. “Five years ago, most boards treated cybersecurity like plumbing. Now they have to actually understand their risk posture because there's a regulatory consequence if they don't. That cultural shift matters more than any specific rule.”
Mo says that “the why" of transparency is right – stakeholders deserve to know, and the government needs visibility into what is happening – but not so much “the how."
Nick Mo of Ridge Security
Companies are asked to “publicly announce they've been hurt while they're still bleeding. And the damage doesn't stop with the initial disclosure,” Mo maintains. “We're seeing what I’d call a secondary market for breaches.” Information in an SEC 8-K filing can “effectively ring a dinner bell” for potential attackers.
“There are groups that monitor SEC filings specifically to identify companies in chaos, then launch follow-on attacks while the security team is buried in legal calls and board briefings. The four-day window doesn't just inform investors; it also creates a target list.”
Mo believes that what is missing from the conversation is prevention: “All this energy goes into what happens after a breach. The real question should be, ‘What are you doing to stop it from happening in the first place?’ If we put half the regulatory focus on proactive defense that we put on reactive disclosure, we’d be in a very different place.”
SIFMA, among others, would like to see the cyber incident disclosure requirements under Form 8-K Item 1.05 (for domestic issuers) and Form 6-K (for foreign private issuers) rescinded. Those requirements are said to impose additional risks, costs and complexity while failing to generate information sufficiently supportive of the SEC’s investor-protection mission.
Todd Klessman of SIFMA
“More generally,” says Klessman, “we would like to see greater harmonization across cybersecurity incident reporting requirements, a higher threshold for what qualifies as a reportable incident, a reduction in the amount of data that regulators require [that] entities report and preserve, enhanced liability protections for reporting entities, and commitments from regulators to adequately protect information received in reports.”
Mo of Ridge Security has a list of wants. To begin, “stop treating cybersecurity reporting like a one-way confession booth. Make it a two-way street. If I report an incident, I should get something back, such as threat intelligence, defensive recommendations, or a heads-up about related activity.”
What’s more, guidelines must catch up to the new realities of agentic artificial intelligence. “We need to start treating AI agents as privileged users. Any AI-driven system should have a cryptographic kill switch that can be pulled the moment it deviates from its intended behavior. If we don’t regulate AI identities with the same rigor we apply to human ones, we’re leaving the keys in the ignition.”
The SEC’s ask for risk management disclosures results in reports that say, “we have a firewall,” which Mo regards as “useless. I'd like to see the conversation shift toward something like an exploitability score. Don’t tell the SEC you have a plan. Show them the results of your last autonomous red-team exercise.
“If you can’t prove you tried to hack yourself yesterday, you don’t actually know your risk today. Compliance should be based on evidence of defense, not promises of policy.”
Mo calls attention to how ransomware gangs have begun to escalate their demands by threatening to report their victims to the SEC. “When the bad guys are using your regulation as a weapon, you've got a design flaw, not just an implementation issue.”
The Ridge Security CEO’s bottom line on information sharing is that CISA could be in a strong position to identify patterns and prevent attacks from spreading. “The challenge is making it actually work in practice by turning raw incident reports into timely, actionable intelligence that reaches the right people fast enough to matter.”