SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules
Mandatory cybersecurity disclosure requirements for public companies
// What is SEC Cybersecurity Rules?
In July 2023, the SEC adopted final rules requiring public companies to disclose material cybersecurity incidents within four business days and provide annual disclosures about cybersecurity risk management, strategy, and governance. These rules apply to all domestic public companies and foreign private issuers registered with the SEC.
The rules represent a significant shift in how cybersecurity is treated for disclosure purposes—elevating it to the same level as other material business risks. Companies must now evaluate cybersecurity incidents for materiality and disclose them rapidly, while also providing investors with consistent information about how they manage cyber risks.
Compliance requires coordination between security, legal, and finance teams. Companies need clear processes for incident assessment, materiality determination, and disclosure decision-making. Annual reporting must address board oversight, management's role, and how cybersecurity risks are integrated into overall business strategy.
// Inside the Regulation
The rules establish two primary disclosure regimes: incident-specific disclosure via Form 8-K/6-K and annual disclosure via Form 10-K/20-F.
Material Incident Disclosure
Item 1.05 of Form 8-K (Item 16J of Form 20-F)Requirements for disclosing material cybersecurity incidents.
Four Business Day Disclosure
Disclose material cybersecurity incidents within four business days of determining materiality.
Materiality Determination
Evaluate incidents using standard securities law materiality analysis—would a reasonable investor consider it important?
Required Disclosures
Describe the nature, scope, timing, and material impact (or reasonably likely impact) of the incident.
Ongoing Assessment
Update disclosures as new material information becomes available via 8-K amendments.
National Security Delay
Disclosure may be delayed if Attorney General determines immediate disclosure poses national security risk.
Annual Disclosure - Risk Management
Item 106(b) of Regulation S-KAnnual disclosure of cybersecurity risk management processes.
Risk Management Process
Describe processes for assessing, identifying, and managing material cybersecurity risks.
Third-Party Integration
Describe how third-party risks are assessed and managed, including vendors and service providers.
Framework Reference
Disclose whether and how frameworks like NIST CSF are used in the risk management program.
Previous Incidents
Describe how previous cybersecurity incidents have affected risk management processes.
Annual Disclosure - Governance
Item 106(c) of Regulation S-KAnnual disclosure of board and management oversight of cybersecurity.
Board Oversight
Describe board's oversight of cybersecurity risks, including which committee is responsible.
Management's Role
Describe management's role in assessing and managing material cybersecurity risks.
Expertise
Describe relevant expertise of persons responsible for cybersecurity risk management.
Board Information Flow
Describe how management informs the board about cybersecurity risks and incidents.
Note: The SEC has stated it will evaluate compliance with enforcement in mind. Companies should document materiality determinations, establish clear escalation procedures, and ensure coordination between security teams and disclosure committees.
// Who Must Comply
- 1 Domestic public companies (10-K filers)
- 2 Foreign private issuers registered with SEC (20-F filers)
- 3 Companies with SEC-registered securities
- 4 Smaller reporting companies (with extended timelines for some provisions)
- 5 Note: Private companies are not directly subject but may be affected as vendors
// Key Requirements
Four-Day Incident Disclosure
Disclose material cybersecurity incidents via 8-K within four business days of materiality determination
Annual Risk Management Disclosure
Describe cybersecurity risk management processes and framework usage in 10-K
Governance Disclosure
Describe board oversight and management's role in cybersecurity governance
Materiality Assessment Process
Establish and document processes for determining incident materiality
Ongoing Updates
Amend disclosures as new material information about incidents becomes available
Third-Party Risk Disclosure
Disclose how third-party and vendor cybersecurity risks are managed
// Enforcement & Penalties
Non-compliance with SEC disclosure rules can result in enforcement actions including civil penalties, cease-and-desist orders, officer bars, and reputational damage. The SEC has cybersecurity expertise and has demonstrated willingness to pursue cases.
Civil penalties up to $1M+ per violation
Examples:
- SolarWinds-related enforcement for alleged misleading cybersecurity disclosures
- First American Financial - $500K penalty for disclosure control failures
- Pearson - Settled charges for misleading cyber breach disclosures
- Enforcement focus on both omissions and misleading statements about cyber risk
// Cyber Insurance Impact
D&O insurance policies increasingly scrutinize cybersecurity disclosure compliance. SEC enforcement actions related to cyber disclosures may implicate D&O coverage. Some insurers are adding cyber disclosure compliance as an underwriting factor for both D&O and cyber policies.
// How Breach Craft Helps
We help organizations achieve SEC Cybersecurity Rules compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of SEC Cybersecurity Rules.
Ready to Strengthen Your Defenses?
Schedule a free consultation with our security experts to discuss your organization's needs.
Or call us directly at (445) 273-2873