The Securities and Exchange Commission's cybersecurity disclosure rules, effective December 2023, fundamentally changed how publicly traded companies must approach cybersecurity governance and incident disclosure. For security leaders at public companies and their advisers in investment banking and legal services, understanding these requirements is now a board-level responsibility.
The Two Core Requirements
The SEC rules impose two distinct obligations on registrants (public companies): incident disclosure and annual program disclosure.
Material Incident Disclosure (Item 1.05 of Form 8-K)
Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. The materiality determination is the legal and business judgment that the incident has a significant likelihood of being important to a reasonable investor. Critically, the four-day clock runs from the materiality determination — not from initial discovery of the incident. Companies are not required to make speculative disclosures about potential future costs while the incident is still being investigated.
The 8-K disclosure must describe: the nature, scope, and timing of the incident; and the material impact or reasonably likely material impact on the registrant. Notably, the SEC explicitly allows companies to request a delay from the U.S. Attorney General if disclosure would pose a substantial risk to national security or public safety.
Annual Cybersecurity Program Disclosure (Item 106 of Regulation S-K)
Annual reports (Form 10-K) must now include disclosure about: the company's processes for assessing, identifying, and managing material risks from cybersecurity threats; whether cybersecurity risks have materially affected (or are reasonably likely to affect) the company's business strategy, results of operations, or financial condition; the board of directors' oversight of cybersecurity risks; and management's role in assessing and managing cybersecurity risks (including whether the CISO or equivalent has relevant expertise).
Implications for Security Programs
These rules create three immediate operational requirements for security teams at public companies. First, materiality assessment processes must be defined before an incident occurs — not improvised during crisis response. Second, board reporting on cybersecurity must be documented formally, not delivered informally. Third, the CISO's qualifications and experience must now be publicly described in annual filings, raising the stakes for CISO hiring and retention.
The incident response playbook for public companies must explicitly address the Form 8-K notification decision tree: who makes the materiality determination, what legal review is required, what the four-day window means operationally (including weekends and holidays), and how to coordinate disclosure with legal counsel, investor relations, and the board audit committee.
Interaction with State Breach Notification Laws
The SEC rules exist alongside — not instead of — state breach notification obligations. A cybersecurity incident may trigger both a four-day SEC materiality disclosure and state breach notification requirements on different timelines. Legal counsel must evaluate both simultaneously. The SEC rules apply to the investor community; state breach notifications apply to affected individuals. For financial services companies in New York, NYDFS 23 NYCRR 500 adds a third notification regime requiring prompt notice to DFS within 72 hours of a qualifying cybersecurity event. Our virtual CISO service helps public companies build the governance frameworks required to meet these overlapping obligations.
Enforcement Landscape
The SEC demonstrated its enforcement intent early: in October 2023, the SEC charged SolarWinds and its CISO with fraud and internal control failures related to cybersecurity disclosures, alleging the company misled investors about its security practices while simultaneously suffering the SUNBURST compromise. Although the fraud charges were partially dismissed in a 2024 ruling, the case signals aggressive SEC scrutiny of both the substance of cybersecurity disclosures and the accuracy of public statements about security programs. Security leaders at public companies should ensure that external-facing security representations — on websites, in marketing materials, and in SEC filings — accurately reflect actual internal security posture.