As public companies work to align with the SEC’s new cybersecurity disclosure requirements, Commissioner Hester Peirce is urging a reassessment of how these rules are applied—particularly during active cyber incidents.

In a recent interview with The Wall Street Journal, Peirce, alluding to the Form 8-K item 1.05 requirements, questioned the practicality of the four-business-day disclosure mandate. Her concern? That companies may be required to publicly disclose details about cybersecurity breaches before they’ve fully assessed the situation—or worse, while the attack is still unfolding. In her view, this could potentially aid attackers or compromise ongoing incident response efforts.

Peirce advocates for a principles-based approach, allowing companies the flexibility to tailor cybersecurity governance and disclosure decisions to the unique risk profiles they face. She contrasted this with the current “one-size-fits-all” mandate, which may create compliance pressure without necessarily improving investor protection or cybersecurity outcomes.

This critique comes at a pivotal time, as companies implement internal governance structures and prepare for the practical realities of timely incident materiality assessments. For organizations already navigating the operational and legal complexity of a breach, Peirce’s comments may resonate deeply.

Whether or not the SEC will adjust its stance remains to be seen, but Peirce’s comments add important context to the ongoing dialogue about balancing transparency with cybersecurity resilience.

Key takeaway: Expect the SEC’s cyber rule landscape to continue evolving—and keep an eye on how regulators weigh prescriptive compliance versus adaptable risk-based frameworks.