Skip to main content

SEC Cybersecurity Disclosure Rules

The SEC's 2023 rules require public companies to disclose material cybersecurity incidents on Form 8-K, generally within four business days of a materiality determination, and to describe their cyber risk governance annually. Non-compliance risks SEC enforcement and shareholder litigation.

Jurisdiction
United States

What the SEC Cybersecurity Disclosure Rules Are and Why They Exist

In 2023 the US Securities and Exchange Commission adopted rules requiring public companies to disclose material cybersecurity incidents and to describe their cybersecurity risk management, strategy, and governance. The rules took effect in December 2023, with incident reporting on a new item of Form 8-K and governance disclosures in annual reports on Form 10-K. They treat cybersecurity as a material business risk that investors are entitled to understand.

The rules exist because cyber incidents can materially affect a company's operations, finances, and reputation, yet disclosure had been inconsistent and often delayed. The SEC sought timely, decision-useful information for investors.

Who It Applies To

The rules apply to companies that file reports with the SEC, including domestic registrants and, with adapted forms, foreign private issuers. Smaller reporting companies received additional time to comply with the incident-disclosure requirement. The rules reach the company as a whole, so security, legal, finance, and disclosure functions must coordinate.

Key Requirements

  • Material incident disclosure: companies must report a material cybersecurity incident on Form 8-K Item 1.05, generally within four business days of determining that the incident is material.
  • Materiality determination: the assessment must be made without unreasonable delay after discovery.
  • Content of the disclosure: the nature, scope, timing, and material impact (or reasonably likely impact) of the incident.
  • Risk-management and governance: annual reports must describe processes for assessing and managing cyber risk, and the board's and management's oversight roles.
  • A national-security or public-safety delay is available only with US Attorney General approval.

Penalties for Non-Compliance

Failure to comply can lead to SEC enforcement actions, including civil penalties, for inadequate or untimely disclosure and for deficient disclosure controls. Misleading statements about cybersecurity posture can also trigger fraud-based liability. Beyond regulatory penalties, flawed disclosure can fuel shareholder litigation and erode investor confidence.

How to Comply

  • Establish a clear, documented process to assess incident materiality quickly and consistently.
  • Integrate security incident response with legal and disclosure teams so the four-business-day clock can be met.
  • Maintain disclosure controls and procedures that capture cyber incidents.
  • Document board and management oversight of cyber risk for the annual report.
  • Avoid over- or under-disclosure by grounding statements in verified facts.

The central operational challenge is making a defensible materiality judgment under time pressure, which requires pre-agreed criteria and cross-functional escalation.

Coordinating Materiality Across Functions

The operational heart of the rule is a defensible materiality determination made quickly. Materiality under securities law is qualitative as well as quantitative, considering reputational, operational, and strategic impact, not just dollar figures. Because the four-business-day clock runs from the materiality decision, firms must avoid both rushing to a premature conclusion and unreasonably delaying the assessment. The strongest programs pre-define materiality criteria, establish a cross-functional disclosure committee spanning security, legal, finance, and communications, and integrate it directly with incident response. This ensures that when an incident occurs, the company can move smoothly from technical triage to a well-supported disclosure decision rather than improvising under time pressure.