Key Takeaway
The SEC's cybersecurity disclosure rule requires public companies to report material incidents on Form 8-K within four business days of a materiality determination, and to disclose risk management programs and board oversight annually in 10-K filings. Large accelerated filers have been subject to incident reporting requirements since December 18, 2023, with enforcement precedent already set through the SEC's fraud charges against SolarWinds and CISO Timothy Brown. Security teams must build materiality determination workflows, align IR playbooks to disclosure triggers, and ensure 10-K disclosures accurately reflect internal security posture.
SEC Cybersecurity Disclosure Rule (17 CFR Parts 229 and 249)
Issuing Body: U.S. Securities and Exchange Commission (SEC)
What the Rule Requires
The SEC's cybersecurity disclosure rule, adopted July 26, 2023, imposes two distinct obligations on public companies: mandatory disclosure of material cybersecurity incidents within four business days of determining materiality, and annual disclosure of cybersecurity risk management programs, governance structures, and board-level oversight.
Under Item 1.05 of Form 8-K, registrants must disclose the nature, scope, timing, and material impact of any cybersecurity incident once the company determines it is material. The rule does not define a fixed threshold for materiality — companies must apply the standard Securities Act definition, meaning a reasonable investor would consider the information important. Legal counsel and the CISO must align on this determination quickly after an incident is detected.
Under Item 106 of Regulation S-K, companies must describe in their annual 10-K filings:
- Processes for assessing, identifying, and managing material cybersecurity risks
- Whether third-party assessors, consultants, or auditors are used
- How cybersecurity risks have materially affected or are reasonably likely to affect business strategy, operations, or financial condition
- Board oversight of cybersecurity risk, including which board committee holds responsibility
- Management's role in assessing and managing cybersecurity risk, including whether the CISO or equivalent holds relevant expertise
Who Must Comply
All domestic public companies filing with the SEC under the Exchange Act must comply. Foreign private issuers face parallel requirements under Form 20-F for annual disclosures and Form 6-K for incident reporting, with a 30-day delay on incident reporting timelines compared to domestic filers.
Private companies are not directly subject to this rule, but those preparing for IPOs or seeking acquisition by public companies face indirect pressure to align their security documentation and governance structures with these requirements in advance.
Timeline
Annual disclosure requirements under Item 106 of Regulation S-K took effect for fiscal years ending on or after December 15, 2023. Companies with fiscal years ending December 31, 2023 included these disclosures in 10-K filings submitted in early 2024.
The Form 8-K incident reporting requirement took effect December 18, 2023 for large accelerated filers. Smaller reporting companies received an additional 180-day extension, making their compliance date June 15, 2024.
The SEC has already demonstrated enforcement intent. In October 2023 — before the rule's full effective date — the SEC charged SolarWinds Corporation and its CISO, Timothy Brown, with fraud and internal control failures related to cybersecurity disclosures. The complaint cited specific claims about SolarWinds' security posture that the SEC alleged were misleading to investors, and referenced the SUNBURST backdoor compromise (CVE-2020-10148) executed by the Russian threat group APT29 (also tracked as Cozy Bear and Nobelium). That case signals the SEC will hold individual security executives personally accountable, not just companies.
Penalties
Failure to file a timely 8-K carries civil penalties. Under Section 13 of the Exchange Act, the SEC can seek civil monetary penalties up to $10,654 per day for non-filing violations by individuals and up to $106,534 per day for companies, with higher tiers for intentional violations. The SEC can also pursue injunctive relief and, in cases involving fraud, criminal referrals to the Department of Justice.
The SolarWinds enforcement action sought permanent injunctions, civil penalties, and officer-and-director bars against CISO Timothy Brown individually — a direct signal to security leaders that personal liability exposure under this rule is real.
What Organizations Should Do Now
Build a materiality determination workflow. The four-business-day clock starts when the company determines an incident is material, not when it is discovered. SOC teams and incident response leads must have a documented escalation path that routes confirmed incidents to legal counsel and executive leadership within hours of containment and initial scoping. Waiting until a full forensic investigation is complete before engaging legal is a compliance risk.
Map your incident response playbooks to disclosure triggers. Playbooks for ransomware (e.g., LockBit, BlackCat/ALPHV variants), data exfiltration, and third-party compromises should include a materiality assessment checkpoint at the containment phase. Assign ownership explicitly — typically the CISO, General Counsel, and CFO as a three-party decision unit.
Audit your 10-K disclosures for accuracy. The SolarWinds complaint specifically alleged that public statements about security controls contradicted internal assessments. Ensure that what your annual filing says about your vulnerability management program, access controls, and third-party risk management matches what your internal audits, penetration test reports, and GRC platform data actually show. Tools like ServiceNow GRC, Archer, or OneTrust can help maintain documented evidence trails.
Establish board-level cybersecurity reporting cadence. The rule requires disclosure of board oversight mechanisms. If your board or audit committee does not currently receive structured cybersecurity risk briefings at least quarterly, implement that cadence now and document it. Board members with technical backgrounds should be identified in disclosures where applicable.
Review third-party and supply chain incident scenarios. The rule applies to incidents affecting your company through third-party systems. If a software vendor you rely on — for example, a managed EDR provider or cloud infrastructure service — suffers a breach that materially affects your operations, your disclosure obligation is triggered. Build notification SLAs into vendor contracts and monitor CISA's Known Exploited Vulnerabilities catalog and vendor security advisories actively.
Engage outside counsel experienced in SEC enforcement. The intersection of securities law and technical incident response is narrow. Retaining counsel with both backgrounds before an incident occurs reduces response time and ensures privilege protections are applied correctly during forensic investigations.
Related:
Original Source
Dark Reading
Related Articles
RSAC 2026: AI-Driven Threats, Global Cyber Leadership Shifts, and the Policies Reshaping Defense Priorities
RSAC 2026 surfaced AI-assisted attack tooling, enforcement of EU NIS2 and the incoming EU AI Act, and structural shifts in U.S. and allied cyber leadership as the defining issues for security practitioners. SOC teams and CISOs face active NIS2 enforcement since October 2024, EU AI Act high-risk system deadlines in August 2026, and ongoing CISA KEV remediation obligations. Organizations must audit AI product compliance, validate vulnerability remediation workflows, and document NIS2 risk management measures now.
Microsoft Mandates Windows 11 25H2 Upgrade for Unmanaged Home and Pro Devices
Microsoft has begun force-upgrading unmanaged Windows 11 24H2 Home and Pro devices to version 25H2 to address critical vulnerabilities including CVE-2023-28252. Unmanaged devices not enrolled in enterprise management tools will be automatically updated starting June 2024. Organizations should audit unmanaged endpoints and enforce patch management to maintain security compliance.
Latin America’s Labor Market Dynamics: Implications for Cybersecurity Talent Acquisition
A recent study reveals Latin America's potential as a cybersecurity talent source due to its youthful, technically skilled workforce. Organizations must address regional infrastructure, language, and compliance challenges to effectively recruit and onboard talent from this region.
FCC Mandates Pre-Approval for All Foreign-Manufactured Routers Imported or Sold in the US
The FCC now requires pre-approval for all foreign-manufactured routers before they can be imported, marketed, or sold in the United States, with applicants required to disclose foreign investor relationships and submit a U.S. manufacturing relocation plan. The rule targets supply chain risks tied to documented exploitation campaigns by groups including Volt Typhoon and Salt Typhoon, which compromised SOHO and enterprise routers to gain persistent access to U.S. critical infrastructure. CISOs, procurement teams, and network engineers must audit hardware pipelines, monitor DoD and DHS exemption lists, and pressure vendors for compliance timelines now.