It’s no secret that cyber incidents are on the rise—but just how much transparency should companies be forced to show when they get hit? That’s the question at the center of a growing debate between regulators and the financial industry, and one that may carry big consequences for community banks.

Recently, several powerful banking groups, including those representing smaller institutions have urged the Securities and Exchange Commission (SEC) to walk back a rule that requires firms to publicly disclose cyber incidents within four days of determining they’re material. Their argument? That this rushed timeline could actually make things worse.

The concern isn’t whether banks should share information, most already do, especially with regulators and peer networks. The issue is that going public too soon, while investigations are still unfolding, could tip off threat actors, complicate law enforcement efforts, or even send false signals to customers.

It’s a classic collision between transparency and operational security, and smaller institutions already strapped for resources could be caught in the middle. A one-size-fits-all timeline may not give community banks the flexibility they need to assess, respond, and communicate responsibly.

While the SEC hasn’t indicated any rollback yet, this pushback from the banking world is a signal: cybersecurity policy is no longer just about defense, it’s also about timing, messaging, and managing trust.