SEC Cybersecurity Disclosure Rules: What Public Companies Must Report
The SEC Cybersecurity Disclosure Rules are a set of mandatory reporting requirements adopted by the U.
# SEC Cybersecurity Disclosure Rules: What Public Companies Must Report
Definition
The SEC Cybersecurity Disclosure Rules are a set of mandatory reporting requirements adopted by the U.S. Securities and Exchange Commission on July 26, 2023, that govern how publicly traded companies must disclose cybersecurity incidents and describe their cybersecurity risk management, governance, and strategy. The rules apply to all registrants under the Securities Exchange Act of 1934, with compliance effective December 15, 2023 for large accelerated filers and June 15, 2024 for all other registrants.
The rules create two distinct disclosure obligations: an incident disclosure obligation under Form 8-K (current report, triggered by material cybersecurity incidents) and an annual disclosure obligation under Form 10-K (annual report, requiring ongoing description of cybersecurity risk management processes and governance structure).
Before these rules, cybersecurity disclosures were governed by informal SEC staff guidance from 2011 and 2018, which recommended but did not mandate specific disclosures. Companies had wide discretion over what to disclose, when to disclose it, and how to describe their cybersecurity posture. The 2023 rules replace that discretion with mandatory timelines, defined content requirements, and individual accountability that extends to named executives and, in some cases, the CISO.
The rules did not emerge in isolation. They are the SEC's response to a sustained pattern of inadequate cybersecurity disclosure: incidents disclosed months after detection, material breaches that investors learned about through news coverage rather than regulatory filings, and annual reports that described sophisticated risk management programs that bore little resemblance to the organization's actual security posture. The SolarWinds enforcement action, initiated in October 2023 concurrent with the rules' effective date, made explicit that the SEC intended to enforce these requirements with consequences for individual executives, not just organizations.
How It Works: Structure and Requirements
Form 8-K, Item 1.05: Incident Disclosure
Item 1.05 requires registrants to disclose "material cybersecurity incidents" on Form 8-K within four business days of determining that a cybersecurity incident is material. The four-day clock begins at the materiality determination, not at the time of discovery or containment. This distinction is operationally significant and is the subject of ongoing legal interpretation.
The 8-K disclosure must describe the nature, scope, and timing of the incident, and its material impact or reasonably likely material impact on the registrant. The SEC deliberately did not require disclosure of specific technical details that could aid attackers or undermine remediation, but it did require sufficient description that investors can assess the business significance.
The disclosure may be delayed beyond four business days if the U.S. Attorney General certifies that immediate disclosure would pose a substantial risk to national security or public safety. This exception has a defined procedural requirement: the registrant must notify the SEC in writing and the AG must provide the certification within a specific timeframe. This is not a general "ongoing investigation" exception, and the SEC has indicated that organizations cannot unilaterally delay based on their own assessment of investigation risk.
What "Material" Means
Materiality is the central interpretive question under the incident disclosure rule, and the SEC's answer is deliberately non-prescriptive. The applicable standard is the longstanding securities law test: information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would significantly alter the total mix of information available.
The SEC acknowledged in its adopting release that materiality determinations for cybersecurity incidents involve both quantitative and qualitative factors. Quantitative factors include direct financial impact (costs of investigation, remediation, notification, legal liability), and lost revenue from operational disruption. Qualitative factors include reputational harm, regulatory exposure, disruption to operations, customer notification obligations, and competitive harm from disclosed vulnerabilities.
The SEC explicitly rejected calls to establish a bright-line threshold (such as "incidents affecting more than X percent of revenue must be disclosed"). The judgment belongs to the registrant. This creates legal exposure because the judgment is reviewable by the SEC, by plaintiffs in securities litigation, and by affected investors. Underdisclosing a material incident creates the same liability as failing to disclose any other material fact. Overdisclosing routine incidents creates market noise and may itself be misleading.
In practice, organizations must develop a documented materiality assessment process and apply it within hours of a significant incident. The process must be defensible: if the SEC later determines that a disclosed "not material" incident was in fact material, the organization must be able to show a documented, reasoned analysis conducted at the time, not a post-hoc rationalization.
The Four-Business-Day Clock in Practice
The four-business-day window is measured in business days (Monday through Friday, excluding federal holidays), beginning when the registrant determines the incident is material. The determination requires coordinating legal, finance, security, and executive leadership within the first hours of incident response, before the scope is fully understood.
The tension here is real. Incident responders need time to understand the scope and impact of an incident before anyone can make a meaningful materiality determination. The legal team needs input from finance on quantitative impact. The board or audit committee may need to be involved in the determination. Four business days is not generous when these functions are operating under concurrent incident pressure.
The SEC's response to this concern is that the four-day clock does not begin until the materiality determination is made. The SEC simultaneously noted that registrants cannot delay the determination itself unreasonably. A registrant that takes six weeks to determine materiality on an incident that was obviously material from day three will face scrutiny of why the determination was delayed.
Form 10-K, Item 106: Annual Cybersecurity Disclosures
The annual disclosure requirements under Item 106 cover three categories: risk management and strategy, governance, and management's role. These disclosures appear in the annual 10-K filing and are reviewed annually, though material changes to the described processes should trigger consideration of whether an interim update (via 8-K or 10-Q) is appropriate.
Risk Management and Strategy
Registrants must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. The "if any" language is deliberate: the SEC does not mandate that registrants have a cybersecurity risk management program. It mandates that registrants accurately describe what they have.
The required description covers: whether the cybersecurity risk management process is integrated into the registrant's overall risk management framework, whether the registrant engages third parties (consultants, auditors, managed security service providers) as part of its risk management, how the registrant oversees and manages cybersecurity risks associated with its use of third-party service providers, and whether any previous cybersecurity incidents have informed changes to the risk management process.
The third-party risk disclosure is particularly significant. Supply chain and vendor risks were a primary driver of the rulemaking (the SolarWinds incident being the paradigmatic example). Registrants that process sensitive data through third-party systems and have not built a documented vendor risk management program now face disclosure risk: they must either describe a program that exists or disclose the absence of one.
Governance
The governance disclosure requires registrants to describe the board of directors' oversight of cybersecurity risk. This includes identifying which board committee (typically the audit committee) or the full board is responsible for oversight, and describing the processes by which the board is informed about cybersecurity risks. It is not sufficient to state that the board "receives briefings"; the disclosure must describe the substance and cadence of those briefings and how the board exercises its oversight responsibility.
This requirement has materially changed the nature of board cybersecurity engagement. Prior to the rules, cybersecurity was typically presented to the board in annual briefings, often as part of a broader technology update. Under the disclosure rules, the board's oversight process is a public representation subject to SEC scrutiny and investor assessment. Boards that previously received annual PowerPoint presentations are now receiving quarterly security metrics, reading written summaries of significant incidents, and asking questions that demonstrate their engagement with the substance of the risk.
Management's Role
Registrants must describe management's role in assessing and managing cybersecurity risks, including: whether the registrant has a CISO or equivalent role, the relevant experience and qualifications of the individual(s) responsible for cybersecurity risk management, and the processes by which those individuals are informed about and monitor cybersecurity threats, incidents, and risks.
The experience and qualifications disclosure is new. Public companies must now describe the background of their top cybersecurity executive in sufficient detail for investors to assess whether the person in that role has the relevant expertise. This has increased pressure on boards and executive teams to staff the CISO role with individuals whose credentials are defensible in a regulatory and investor context.
The reporting relationship between the CISO and the board is not explicitly required to be disclosed, but in practice, most registrants describe whether the CISO has direct board access, whether they report to the CEO or CTO, and the frequency of board-level reporting. This disclosure often reveals reporting structures that, once public, become a governance discussion topic.
The SolarWinds Precedent: Individual CISO Liability
In October 2023, the SEC filed charges against SolarWinds Corporation and its then-CISO Timothy Brown, alleging fraud and internal control failures. The charges alleged that SolarWinds and Brown misled investors about the company's cybersecurity posture in its public disclosures while internal communications demonstrated awareness of significant security deficiencies.
Specifically, the SEC alleged that SolarWinds' public security statements were materially inconsistent with internal assessments that identified critical vulnerabilities, password policy violations, and known security gaps. The CISO was charged individually based on his involvement in the public disclosures and his knowledge of the internal assessments.
A federal judge dismissed some of the charges against Brown in July 2024, ruling that certain allegations were insufficient. But the case established a principle that securities law practitioners had long anticipated: individual CISOs can face personal liability under securities law when the company's public cybersecurity representations are materially misleading and the CISO was involved in those representations while possessing knowledge that contradicted them.
The operational implication is significant. CISOs who now participate in drafting the 10-K Item 106 disclosures, review incident disclosure decisions, and advise on materiality determinations are doing so in a context where the accuracy of those representations has personal legal consequences. This has accelerated demand for D&O insurance coverage that explicitly covers CISOs and has changed how CISOs engage with legal counsel on disclosure matters.
How the Rules Change Incident Response
The rules have permanently altered incident response procedures at public companies. Before December 2023, incident response was primarily a technical and operational function with legal involvement for regulatory notification (breach notification laws, HIPAA, etc.). The SEC rules add a parallel securities law timeline that must be managed concurrently.
Modern incident response at a public company now requires four concurrent workstreams from the moment a significant incident is discovered. The technical workstream continues as before: containment, eradication, recovery. The legal workstream initiates an analysis of applicable breach notification laws, regulatory reporting requirements, and contractual notification obligations. The SEC workstream begins the materiality analysis, documents its inputs and reasoning, and prepares for a potential 8-K filing. The board workstream ensures that the audit committee and full board are informed according to the governance processes described in the 10-K.
These workstreams must be coordinated under time pressure and with incomplete information. The security team's assessment of scope will evolve over days. The legal team's materiality analysis depends on scope information that is not fully available. The four-business-day clock is running. Organizations that have not built and tested these coordination procedures before an incident occurs will be designing them under fire.
This has made tabletop exercises focused specifically on SEC disclosure scenarios a standard element of incident response preparedness. The tabletop is not about technical response; it is about testing the cross-functional decision-making process under the SEC disclosure timeline.
Why It Matters
The SEC rules matter because they permanently elevate cybersecurity from a technical function to a governance and disclosure obligation at public companies. The CISO's work product is now subject to securities law review. The board's engagement with cybersecurity risk is now a public representation. The company's incident response procedures are now structured around a regulatory timeline.
For investors, the rules provide information that was previously unavailable or inconsistently disclosed: the actual frequency and severity of cybersecurity incidents at companies whose systems they own a stake in, the governance structure that oversees cyber risk, and whether the people responsible for cybersecurity have the credentials to manage it effectively.
For the security industry, the rules validate the CISO's seat at the leadership table. Security leaders who have spent years advocating for board-level visibility and executive accountability now operate in a regulatory environment that requires that visibility. The challenge is that this exposure cuts both ways: boards that previously lacked engagement now have fiduciary motivation to engage, but they also have the ability to scrutinize security decisions in ways that create organizational tension.
For private companies considering future public offerings, the rules create a preparation mandate. A company that IPOs without having built the disclosure infrastructure, the board governance processes, and the incident response coordination procedures required by the rules will face immediate compliance pressure at the worst possible time (during a liquidity event). Companies that build these capabilities in advance of an offering create a compliance advantage rather than a compliance liability.
CDA Perspective
PDM Domain Mapping
The SEC disclosure rules sit at the intersection of RGA (Risk Governance & Assurance), TID (Threat Intelligence & Defense), and DPS (Data Protection & Sovereignty).
RGA is the primary domain. The 10-K Item 106 disclosures describe the governance structure, risk management processes, and compliance posture that RGA governs. The board oversight requirement is a governance function. The risk management disclosure is a documented risk program output. The CISO experience disclosure is an organizational capability statement. All of these are RGA domain concerns, and CDA's Perpetual Compliance Assurance (PCA) methodology specifically addresses the documentation, evidence, and reporting infrastructure that these disclosures require.
TID is the operational domain. Materiality determination under Item 1.05 requires real-time assessment of incident scope, impact, and trajectory. This requires the detection capability (TID-B01), incident response plan (TID-B02), and response procedures (TID-D03) to be operational before an incident occurs. An organization that lacks mature TID capabilities cannot make a defensible materiality determination within four business days because it does not yet understand the scope of what happened.
DPS intersects through the data impact dimension of materiality analysis. When personal information, intellectual property, or sensitive financial data is exfiltrated, the DPS domain's data classification work (DPS-R02) and data sovereignty mapping (DPS-H02) directly inform the scope assessment. Organizations that have not mapped their sensitive data assets cannot quickly assess whether an incident has reached those assets.
TOP Missions Directly Applicable
RGA-B04 (Board Cyber Reporting Framework, 16 hours): This mission directly builds the board-level reporting structure that Item 106's governance disclosure requires. Outputs include a defined reporting cadence, a metrics framework, a written briefing format that documents board engagement, and a written record of the board's oversight activities. Without this infrastructure, the 10-K governance disclosure will be vague, unsubstantiated, or inaccurate.
RGA-R01 (Compliance Landscape Mapping, 16 hours): For public companies, this mission includes mapping the SEC disclosure rules against existing incident response procedures, identifying gaps in the materiality determination process, and assessing whether the governance documentation matches the actual oversight process. The gap analysis often reveals that the governance processes described in prior 10-Ks do not match current practice.
RGA-B02 (Compliance Program Build, 60 hours): Builds the risk management program that Item 106 requires registrants to describe. This includes documented processes for identifying, assessing, and managing cybersecurity risks, third-party risk management procedures, and the integration of cybersecurity risk into enterprise risk management. The program documentation must be accurate: it is a public representation.
RGA-H02 (Quantitative Risk Analysis, 20 hours): Develops the quantitative risk assessment capability that supports materiality determinations. Organizations need a consistent methodology for estimating financial impact (direct costs, lost revenue, regulatory fines, litigation exposure) as part of the materiality analysis process. This mission builds the financial modeling framework that the legal and finance teams need to make and document materiality determinations.
RGA-D03 (Board Simulation Exercise, 8 hours): A tabletop exercise designed specifically to test the board-level governance processes. In the SEC disclosure context, this exercise simulates a significant cybersecurity incident and walks the board and executive team through the disclosure decision process: who convenes, what information is needed, how the materiality determination is made, and how the 8-K filing is prepared. This is the preparation that ensures the process works before it must be invoked.
TID-B02 (Incident Response Plan, 32 hours): The incident response plan must now include SEC disclosure procedures: who initiates the materiality analysis, what information is required, who has authority to make the materiality determination, who approves the 8-K filing, and how the board is informed. This mission builds the plan that incorporates these requirements.
TID-D03 (Incident Response Full Drill, 16 hours): Operational test of the complete incident response process including SEC disclosure procedures. The drill specifically tests the four-business-day timeline: can the organization convene the right stakeholders, gather the necessary information, make a documented materiality determination, and prepare a compliant 8-K draft within four business days of a realistic incident scenario?
CDA's Approach
CDA's PCA methodology addresses the SEC disclosure rules as a continuous compliance track within the RGA domain, not a separate program. The documentation, evidence collection, and reporting infrastructure that PCA deploys for other compliance frameworks also generates the artifacts that SEC disclosure compliance requires.
Specifically, PCA's continuous monitoring infrastructure produces the documented evidence of risk management program operation that supports an accurate Item 106 description. When the 10-K states that the company "continuously monitors for cybersecurity threats using automated tools integrated with the company's enterprise risk management process," PCA's evidence repository provides the audit trail that supports that representation. Organizations that make this statement without the underlying infrastructure are making a representation that could be challenged under the SolarWinds precedent.
For incident response, CDA builds the materiality determination playbook as a named component of the incident response plan (TID-B02). The playbook defines: the triggering events that initiate a materiality analysis, the roles required in the analysis (CISO, General Counsel, CFO, CEO), the information inputs required (technical scope assessment, financial impact estimate, regulatory exposure analysis), the documentation format for the determination, the approval authority, and the timeline relative to the four-business-day clock.
Board reporting under RGA-B04 follows a defined format: written security briefings delivered quarterly to the audit committee, a written summary of significant incidents and near-misses, metrics that track the security program's effectiveness over time, and a documented record of questions asked and answers provided. This record is what transforms the governance disclosure from a generic statement into an accurate and defensible description of actual board oversight.
The SEC disclosure rules have also elevated the CISO's role in CDA client engagements. CISOs at public companies now operate in a context where their representations about security posture carry securities law consequences. CDA's engagement model supports this by ensuring that the security program's actual state is documented accurately, that the board reporting reflects what the program actually does, and that the incident response process includes the legal coordination required for disclosure decisions.
Key Takeaways
The four-business-day clock begins at the materiality determination, not at discovery. Organizations that lack defined materiality determination processes will either miss the deadline or make undocumented determinations that cannot be defended in subsequent SEC review.
Materiality is a judgment call, but it is a reviewable one. The SEC will apply hindsight to materiality decisions it disagrees with. Documenting the reasoning, the participants, the information considered, and the conclusion at the time of the determination is the only defense against retroactive challenge.
The SolarWinds case established that CISOs face personal liability when they are involved in materially misleading disclosures while possessing internal knowledge that contradicts those disclosures. This does not criminalize good-faith disagreement or uncertainty. It targets representations that the disclosing individual knew to be false.
The board governance disclosure is a public representation about actual oversight processes. Organizations whose boards receive only annual briefings must either build a more substantive engagement process or disclose an oversight structure that investors may view as inadequate.
Third-party risk management is now a disclosure item. Registrants must describe their processes for managing vendor and supply chain cybersecurity risk. Organizations that cannot describe this process will disclose its absence.
Building the disclosure infrastructure before it is needed is significantly cheaper than building it during an incident. The materiality playbook, board reporting format, and incident response coordination procedures should be complete and tested before any material incident occurs.
Related Articles
- Incident Response Planning: Building a Program That Holds Under Pressure
- Board Cyber Governance: From Annual Briefings to Fiduciary Oversight
- Material Cybersecurity Incidents: How to Define, Detect, and Document
- Supply Chain Risk Management: The Orbital Alliance Framework
- NIST SP 800-53: Security and Privacy Controls
- SOC 2 Type II: Trust Services Criteria
Sources
- U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure: Final Rule. Release Nos. 33-11216 and 34-97989. July 26, 2023. https://www.sec.gov/rules/final/2023/33-11216.pdf
- U.S. Securities and Exchange Commission. SEC Charges SolarWinds and Chief Information Security Officer with Fraud and Internal Control Failures. Press Release No. 2023-227. October 30, 2023. https://www.sec.gov/news/press-release/2023-227
- U.S. Securities and Exchange Commission. Form 8-K: Item 1.05 Material Cybersecurity Incidents. General Instructions to Form 8-K, as amended 2023. https://www.sec.gov/cgi-bin/browse-edgar?action=getcompany&type=8-K&dateb=&owner=include&count=40
- Morrison and Foerster LLP. SEC Cybersecurity Disclosure Rules: Practical Compliance Guidance for Public Companies. MoFo Client Alert, 2024. https://www.mofo.com/resources/insights/sec-cybersecurity-disclosure-rules
- Freshfields Bruckhaus Deringer. Navigating Materiality Determinations Under the SEC Cybersecurity Incident Disclosure Rule. Client Briefing, 2024. https://www.freshfields.us/insights/sec-cybersecurity-materiality
- Cooley LLP. CISO Liability in the Post-SolarWinds Environment: Managing Individual Exposure Under Securities Law. Cooley Alert, 2024. https://www.cooley.com/news/insight/ciso-liability-solarwinds
- Gibson Dunn and Crutcher LLP. SEC Cybersecurity Rules: One Year In, Lessons from Early 8-K Filings and Enforcement Activity. Client Alert, 2024. https://www.gibsondunn.com/sec-cybersecurity-rules-one-year-review
Sources
- SEC Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Release No. 33-11216, 34-97989. July 26, 2023.
- SEC Cybersecurity Disclosure Rules: Form 8-K Item 1.05 and Form 10-K Item 106.
- SEC v. SolarWinds Corporation and Timothy G. Brown. Case No. 23-cv-9518. SDNY, October 2023.
- Morrison & Foerster LLP. SEC Cybersecurity Rules: Practical Compliance Guide. 2024.
- Freshfields Bruckhaus Deringer. Materiality Determinations Under the SEC Cybersecurity Rules. 2024.
- Cooley LLP. CISO Liability After SolarWinds: Navigating Individual Exposure. 2024.
Related Articles
NIST SP 800-53: Security and Privacy Controls for Information Systems
NIST Special Publication 800-53 is the United States federal government's comprehensive catalog of security and privacy controls for information systems and organizations.
SOC 2 Type II
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy.
Written by Evan Morgan
Found an issue? Help improve this article.