When Disclosure Becomes a Zero Day: Why the SEC Should Rescind Its Cyber Incident Rule in the Age of Frontier AI
Publish Date: 2026-06-05 12:07:00
Source Domain: bpi.com
Using an unordered list, summarize the following article with between 4 and 8 key points.
The recent news[1] of advanced-AI capabilities has once again put a spotlight on a long‑running problem: our collective dependence on open‑source software makes us vulnerable to attacks. Open‑source components sit in critical systems across the economy, yet defenders often lack a full inventory of where that code runs, how it is configured and how exposed it is. That asymmetry already favored attackers before the current wave of frontier AI models; now, it warrants even more attention. Public cyber incident disclosure mandates, including those adopted by the SEC in 2023, worsen this situation by furnishing attackers with roadmaps for disruption without producing defensive or risk-reduction benefits.
Consider the Apache Log4j vulnerability from 2021. Minutes after the Log4Shell flaw was disclosed, attackers began scanning and exploiting systems at global scale. In fact, researchers observed the first exploitation just nine minutes after public disclosure, illustrating how thin the margin is between awareness and compromise.[2] Within 10 days, one leading cloud‑security firm reported 93 percent of cloud environments it monitored were at risk, showing how deeply a single open‑source component can permeate modern infrastructure.[3]
The attack tempo was just as sobering. A federal review later documented peaks of roughly 400 exploit attempts per second as actors worldwide probed for vulnerable systems.[4] Another analysis found attackers attempted exploitation on 48 percent of corporate networks across the globe, underscoring how quickly a technical flaw can escalate into a systemic event.[5] All of this, it is critical to note, was almost five years ago.
Learning from that experience, BPI and other financial trades filed a Petition for Rulemaking urging the SEC to rescind its cyber incident disclosure mandate.[6] At that time, the core concern was that near‑real‑time public disclosure of material cyber incidents would hand attackers a roadmap while defenders were still investigating and working to contain the breach. That concern has not faded; it has intensified.
Frontier AI models will change the tempo of cyber operations. Advanced systems, including models like Anthropic’s Mythos and OpenAI’s GPT‑5.5 Cyber, can in principle sift through vast codebases and network data to identify previously unknown vulnerabilities in a matter of hours, a task that once took teams of expert security professionals days or weeks.[7] The same models can help automate exploit development and adaptation, shrinking the gap between discovery and attack even further. Against that backdrop, the Log4j statistics—alarming as they were—will likely pale in comparison to what becomes possible when sophisticated adversaries pair malicious intent with these capabilities.
Which brings us back to the SEC’s Cyber Incident Disclosure Rule. A mandate that pushes public companies to disclose ongoing cyber incidents within four days was always troubling from a security standpoint; in the current threat environment, it borders on irresponsible. As BPI and other trades have explained, early public narratives about an incident often rest on incomplete or inaccurate information and can tip off attackers to which systems remain vulnerable and where defenders are focusing their efforts.[8] In an era of frontier AI, those clues are not just useful—they can be ingested, correlated and acted upon at machine speed.
While the Commission included limited exceptions and national‑security‑related delays in the rule, those carveouts are narrow and hard to operationalize in real time. A prior BPI analysis catalogued the logistical hurdles: the need to recognize that an incident might trigger the exception, coordinate with law enforcement and security agencies, get them to a decision and then translate that decision into disclosure timing—often within a matter of days.[9] Each of those steps takes time and judgment; attackers, aided by advanced AI, will not wait.
Those earlier critiques are even more persuasive today. Frontier AI will likely allow adversaries to mine public regulatory filings, press coverage and technical indicators to refine targeting and update exploits in near real time. A rule that compels rapid public disclosure of an unfolding incident, coupled with modest and procedurally complex exceptions, gives well‑resourced attackers exactly what they need: structured signals about where and how to aim. The speed by which adversaries can now move overwhelms any practical benefit of the rule’s limited disclosure exceptions.
Some may argue that non‑enforcement orders, staff statements or other forms of guidance can smooth out the rule’s rough edges. Those tools offer temporary relief, but they cannot fix the core problem. The rule rests on an assumption that public, near‑term transparency about cyber incidents will improve market discipline without meaningfully worsening security risk. That assumption no longer holds, if it ever did. In the age of Mythos and GPT‑5.5‑class systems, the informational value to investors must be weighed against the very real prospect that mandated disclosures will act as fuel for weaponized AI tooling, spreading harm across companies and their investors.
Rescinding a rule is not a trivial task for the Commission or its staff. It demands a reassessment of the administrative record, careful engagement with stakeholders and a clear explanation of the agency’s change in view. Yet the SEC has already shown that it is willing to revisit major initiatives when circumstances and legal constraints warrant, as reflected in its recent move to pursue rescission of its Climate Disclosure Rule.[10] That same willingness to adjust in light of new realities should apply with even greater force in cybersecurity, where the threat landscape evolves far faster than ordinary rulemaking cycles.
The SEC’s Cyber Incident Disclosure Rule was conceived in a different era of cyber risk. That era has passed. In the world that now exists—one defined by AI‑accelerated reconnaissance, automated exploit generation and global scanning at scale—returning to the Commission’s pre-existing principles-based disclosure framework for cyber would better reflect the realities, and the risks, of the frontier AI age.
[1] Nicholas Carlini et al., Assessing Claude Mythos Preview’s cybersecurity capabilities, Anthropic (Apr. 7, 2026), https://red.anthropic.com/2026/mythos-preview/; GTIG AI Threat Tracker: Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access, Google (May 11, 2026), https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access.
[2] John Graham-Cumming & Celso Martinho, Exploitation of Log4j CVE-2021-44228 before public disclosure and evolution of evasion and exfiltration, Cloudflare (Dec. 14, 2021), https://blog.cloudflare.com/exploitation-of-cve-2021-44228-before-public-disclosure-and-evolution-of-waf-evasion-patterns/.
[3] Ami Luttwak & Alan Schindel, Log4Shell 10 days later: Enterprises halfway through patching, Wiz (Dec. 21, 2021), https://www.wiz.io/blog/10-days-later-enterprises-halfway-through-patching-log4shell.
[4] U.S. Dep’t of Homeland Sec., Cybersecurity & Infrastructure Sec. Agency, Review of the December 2021 Log4j Event 4 (2022).
[5] The Numbers Behind Log4j Vulnerability CVE-2021-44228, Check Point (Dec. 13, 2021), https://blog.checkpoint.com/security/the-numbers-behind-a-cyber-pandemic-detailed-dive/.
[6] See Am. Bankers Assoc., Bank Policy Inst., Sec. Industry & Fin. Markets Assoc., Ind. Comm. Bankers of Am., Inst. of Int’l Bankers, Petition for Rulemaking on the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule (May 22, 2025), https://bpi.com/wp-content/uploads/2025/05/Joint-Financial-Trades-Final-Petition-for-Rulemaking-on-Cybersecurity-Risk-Management-Strategy-Governance-and-Incident-Disclosure-Rule_.pdf.
[7] Nicholas Carlini et al., Assessing Claude Mythos Preview’s cybersecurity capabilities, Anthropic (Apr. 7, 2026), https://red.anthropic.com/2026/mythos-preview/.
[8] Am. Bankers Assoc., Bank Policy Inst., Sec. Industry & Fin. Markets Assoc., Ind. Comm. Bankers of Am., Inst. of Int’l Bankers, Comment Letter on Reforming Regulation S-K (Apr. 10, 2026), https://bpi.com/wp-content/uploads/2026/04/Joint-Financial-Trades-Reg-S-K-Cyber-Comment-Letter-4.10.26.pdf.
[9] Heather Hogsett, Fool’s Gold: Why the Exceptions to the SEC’s Cyber Disclosure Rule Cannot and Will Not Work, and the Damage that Will Ensue, Bank Policy Inst. (Dec. 18, 2023), https://bpi.com/wp-content/uploads/2023/12/Fools-Gold-Why-the-Exceptions-to-the-SECs-Cyber-Disclosure-Rule-Cannot-and-Will-Not-Work-and-the-Damage-that-Will-Ensue.pdf.
[10] Sec. & Exchange Comm’n, Rescission of Climate-Related Disclosure Rules, RIN 3235-AN76 (2026), https://www.sec.gov/files/rules/proposed/2026/33-11421.pdf.
