SEC Cybersecurity Disclosure Rule (17 CFR Parts 229 and 249)

Issuing Body: U.S. Securities and Exchange Commission (SEC)

What the Rule Requires

The SEC's cybersecurity disclosure rule, adopted July 26, 2023, imposes two distinct obligations on public companies registered under the Securities Exchange Act of 1934: material incident disclosure and annual governance reporting.

Material Incident Disclosure (Form 8-K, Item 1.05)

Registrants must file a Form 8-K within four business days of determining that a cybersecurity incident is material. The filing must describe the nature, scope, and timing of the incident, and its material impact—or reasonably likely material impact—on the company. The SEC does not define a bright-line threshold for materiality; companies must apply the standard from Basic Inc. v. Levinson: whether a reasonable investor would consider the information significant to an investment decision.

The rule explicitly does not require disclosure of specific technical remediation details that could compromise ongoing response. However, SOC teams and CISOs must build a rapid materiality assessment workflow that feeds directly into legal and IR pipelines. A 96-hour clock that starts at the wrong moment—discovery versus determination—is a compliance failure waiting to happen.

Annual Governance Reporting (Form 10-K, Item 106)

Companies must disclose:

  • Processes for assessing, identifying, and managing material cybersecurity risks
  • Whether and how identified risks have materially affected or are reasonably likely to materially affect business strategy, results of operations, or financial condition
  • Board oversight of cybersecurity risks, including which committee holds responsibility
  • Management's role and expertise in assessing and managing cybersecurity risks

This is not a checkbox exercise. The SEC expects specificity. If your CISO reports to the CFO rather than the CEO or board, document why. If you use CrowdStrike Falcon for endpoint detection or Palo Alto Networks Cortex XSOAR for incident response orchestration, you do not need to name those vendors in the 10-K—but you must describe the processes those tools support.

Who Must Comply

All domestic public companies filing with the SEC are subject to the rule. Foreign Private Issuers (FPIs) face parallel requirements under Form 20-F (annual) and Form 6-K (material incidents), with a 30-day 6-K window rather than four business days.

Smaller Reporting Companies (SRCs) received a delayed compliance date for the 8-K incident disclosure requirement but are now fully subject to all provisions.

Private companies, including the many acquired in M&A transactions, are not directly covered—but when a public acquirer like Rapid7, Airbus Defence and Space, or Databricks absorbs a private target, the parent's disclosure obligations immediately apply to material incidents arising from the acquired entity's infrastructure.

Timeline and Penalties

The annual disclosure requirements (Form 10-K, Item 106) took effect for fiscal years ending on or after December 15, 2023. The four-business-day 8-K requirement became effective December 18, 2023 for large accelerated filers and June 15, 2024 for SRCs.

Penalties for non-compliance or materially misleading disclosures fall under standard SEC enforcement authority:

  • Civil penalties up to $10,908 per violation per day for negligent violations, scaling to $218,152 per violation for intentional misconduct (2024 adjusted figures)
  • Securities fraud liability under Section 10(b) and Rule 10b-5 for materially false or misleading disclosures
  • Personal liability for the CEO and CFO who certify filings under Sarbanes-Oxley Section 302

The SEC has already demonstrated enforcement intent. In October 2023—months before the rule's full effective date—the SEC charged SolarWinds and its CISO Timothy Brown with fraud and internal control failures related to misrepresentations about cybersecurity practices ahead of and following the SUNBURST supply chain compromise (CVE-2020-10148). That case signals the SEC will pursue individuals, not just corporate entities.

What Organizations Should Do Now

Build a materiality determination process. Draft a written procedure that defines who makes the materiality call, what inputs are required (blast radius, data classification, revenue impact, regulatory notification triggers), and how fast that determination must happen. The four-day clock runs from determination, not discovery—but regulators will scrutinize any gap between the two.

Map your 8-K trigger to your IR playbook. Integrate SEC notification as a discrete step in your incident response runbooks. Tools like Splunk SOAR, ServiceNow Security Operations, or PagerDuty can automate escalation paths that route to legal counsel and the disclosure committee the moment an incident crosses a materiality threshold.

Audit your 10-K risk disclosures against actual controls. Compare your current annual filing's cybersecurity risk language against your actual detection and response capabilities. If your 10-K claims continuous monitoring but your SOC operates on a 9-to-5 schedule with no after-hours on-call rotation, that gap creates both regulatory and litigation exposure.

Brief the board. Item 106 requires disclosure of board oversight mechanisms. If your board lacks a director with substantive cybersecurity expertise, the SEC expects you to say so—and investors will notice. Consider whether your board's audit or risk committee has the technical literacy to fulfill the oversight role the rule describes.

Prepare for M&A integration disclosure risk. Every acquisition brings inherited vulnerabilities, unpatched CVEs, and unknown breach history. During due diligence, conduct threat-informed assessments of target environments. An undisclosed pre-acquisition compromise in an acquired entity that surfaces post-close can trigger an 8-K obligation with no warning.

Related: