SEC Cyber Disclosure Rules: How Public Companies Must Report Incidents

For most of corporate history, a company that suffered a cyberattack could decide quietly, on its own timeline, whether and how to tell its investors. That era is over for public companies. Since late 2023, the Securities and Exchange Commission has required publicly traded companies to disclose material cybersecurity incidents on a tight, defined schedule, and to describe their cybersecurity governance every year. The SEC cybersecurity rules treat a serious breach the way they treat any other material event that could move a stock: as information investors are entitled to have, promptly and consistently. Understanding these rules matters not only for public companies themselves but for the many private businesses that serve them, because a vendor's security failure can become the public company's disclosure problem. This guide explains what the rules require, the deadlines and the materiality judgment that drives them, what must appear in annual filings, who is actually covered, and how a business can prepare to meet the standard rather than scramble after an incident.

What the SEC Cybersecurity Rules Require

On July 26, 2023, the SEC adopted a final rule requiring public companies to disclose material cybersecurity incidents and to provide annual disclosures about their cybersecurity risk management, strategy, and governance. The rule was a response to a real problem: before it existed, cybersecurity disclosure was wildly inconsistent, and investors frequently learned of serious breaches late, incompletely, or not at all through official channels.

The rule has two distinct halves, and it is important not to confuse them. The first half is incident disclosure, the obligation to report a specific material breach quickly through a Form 8-K filing. The second half is periodic disclosure, the obligation to describe the company's overall cybersecurity program annually in its Form 10-K. The first is event-driven and urgent. The second is routine and strategic. A public company must satisfy both, and they test different things: whether the company can respond properly to an incident, and whether it has a credible security program in the first place.

One framing point helps the whole rule make sense. The SEC is not a cybersecurity regulator in the way a security agency would be. It does not tell companies which firewalls to buy or how to configure their networks. Its concern is investor protection and market transparency. The rules are about disclosure, ensuring that investors get consistent, timely information about cyber risk, not about dictating the technical details of security itself.

Incident Disclosure: The Form 8-K Requirement

The most talked-about part of the SEC cybersecurity rules is the rapid incident-disclosure requirement, codified as Item 1.05 of Form 8-K. When a public company experiences a cybersecurity incident and determines that it is material, the company must file a Form 8-K disclosing it within four business days of that determination.

That last phrase is where most summaries go wrong, and the distinction is legally significant. The four-business-day clock does not start when the breach is discovered. It starts when the company determines the incident is material. The rule requires that this materiality determination be made without unreasonable delay after discovery, so a company cannot dodge the requirement by simply postponing the decision indefinitely. But the trigger is the determination, not the discovery. This gives a company a reasonable, defined window to investigate and assess before the disclosure clock begins, while preventing it from sitting on a known material breach.

What Materiality Actually Means

Materiality is the hinge the entire incident rule turns on, and it is not a cybersecurity concept. It is a long-established securities-law standard. Information is generally considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would significantly alter the total mix of information available. Applied to a cyber incident, the question is not how technically severe the breach was, but whether it is important to investors, including its effect on the company's financial condition and results of operations.

This means a relatively contained technical incident might be material if it threatens a critical business line, while a larger-sounding incident might not be if its actual impact on the business is limited. The assessment must consider both quantitative and qualitative factors, including reputational harm and effects on customer or vendor relationships, not just immediate dollar losses. Because this judgment depends on actually detecting and understanding an incident quickly, the monitoring built into layered cybersecurity solutions is what makes a timely, defensible determination possible in the first place. Since the judgment is difficult and consequential, it is one a company should plan for in advance rather than improvise during a crisis.

What the 8-K Must Disclose, and What It Need Not

The Form 8-K must describe the material aspects of the incident's nature, scope, and timing, and its material impact or reasonably likely material impact on the company, including its financial condition and operations. Importantly, the rule does not require a company to reveal technical details that would compromise its incident response or remediation, such as specific system vulnerabilities or the precise state of its investigation. The disclosure is about material impact to investors, not a roadmap for other attackers.

If material information is not yet available at the time of filing, the company is expected to file an amended 8-K once it determines that information or once it changes. There is also a narrow national-security exception: disclosure may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing. That delay mechanism is exceptional, not a routine extension a company can request for its own convenience.

Annual Disclosure: The Form 10-K Requirement

The second half of the rules, codified as Item 106 of Regulation S-K, is less dramatic but arguably more demanding, because it requires a company to show it has a real, ongoing cybersecurity program rather than simply reacting well to a single incident. These disclosures appear in the company's annual report on Form 10-K and fall into two areas.

The first is risk management and strategy. A company must describe its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, including whether and how those processes are integrated into its overall risk management, whether it engages outside assessors or other third parties, and whether it has processes to oversee risks from third-party providers. It must also describe whether risks from cybersecurity threats have materially affected, or are reasonably likely to materially affect, the company.

The second is governance. The company must describe the board of directors' oversight of cybersecurity risks and management's role in assessing and managing them, including the relevant expertise of the people responsible. This governance disclosure is significant because it pushes cybersecurity accountability up to the board level. A company can no longer treat cyber risk as a purely technical matter buried in the IT department; it must show that leadership is genuinely overseeing it.

Who the SEC Cybersecurity Rules Apply To

Here honesty matters, because the answer is narrower than much of the coverage implies. The SEC cybersecurity rules apply to public companies, meaning entities that file reports with the SEC, including domestic registrants and, through comparable forms, foreign private issuers. A purely private company that does not file with the SEC is not directly subject to these rules.

That does not make the rules irrelevant to private businesses, and several common situations make them very relevant indeed:

• Vendors and suppliers to public companies. The annual disclosure rule explicitly requires public companies to describe how they oversee third-party cybersecurity risk. That pushes expectations downstream. If your private business provides services to a public company, you may be asked to demonstrate your security posture as part of their compliance, sometimes through questionnaires or independent attestations.
• Companies preparing for an IPO. A private company heading toward a public listing needs the incident-response capability and governance structures these rules assume, in place before it goes public.
• Private companies with public-company investors or parents. A private entity whose results or operations are woven into a public company's filings can find itself within the practical scope of that company's disclosure obligations.

So the precise reading is that the rules bind public companies directly, but their gravity is felt across the private businesses connected to them. For a private company with none of these ties, the rules are not an obligation, though the incident-response discipline they require is sound practice regardless.

The Enforcement Reality

These rules have teeth, and the SEC was signaling its seriousness about cybersecurity disclosure even before the new framework existed. The agency has previously pursued enforcement actions over misleading cybersecurity disclosures, including a case in which a company settled charges after describing a past data intrusion as a merely hypothetical risk when it had in fact already occurred. The lesson from that history is that the SEC treats inaccurate or downplayed cybersecurity disclosure as a securities problem, not just a security one.

Under the current rules, the exposure is broader. A company can face enforcement not only for failing to disclose a material incident on time but for inadequate disclosure controls, the internal processes that are supposed to surface a potential incident to the right people and trigger the materiality assessment in the first place. A company whose left hand does not tell its right hand about a breach can find that the process failure itself is a violation. Reconstructing exactly what happened and when, which both the assessment and the filing depend on, also relies on reliable data backup and disaster recovery. This is why the rules are as much about building reliable internal disclosure processes as about the filings themselves.

How to Prepare for the SEC Cybersecurity Rules

Whether a company is directly covered or preparing to be, readiness follows a clear path. The goal is to be able to detect an incident, assess its materiality quickly and defensibly, and disclose properly, all under time pressure, without improvising.

1. Build an incident response plan that includes the disclosure decision. Most response plans focus on technical containment. Under these rules, the plan must also define how a potential incident gets escalated to the people who make the materiality determination, and how the four-day clock is tracked once that determination is made.
2. Define your materiality assessment process in advance. Decide, before any incident, who is involved in the materiality judgment, what factors they weigh, and how the decision is documented. A documented, consistent process is far easier to defend than an after-the-fact rationalization.
3. Strengthen disclosure controls. Ensure there is a reliable path from the technical team that detects an incident to the legal and executive team that must assess and disclose it. A breach that never reaches the decision-makers cannot be assessed in time.
4. Establish board-level governance. Define how the board oversees cybersecurity risk and ensure that oversight is real and documented, because the annual disclosure must describe it accurately.
5. Maintain a documented risk management program. The 10-K disclosure requires you to describe your processes for identifying and managing cyber risk, which means you must actually have them, in writing, and keep them current. Ongoing managed IT services can carry much of that continuous maintenance so the program does not lapse between filings.
6. Extend diligence to third parties. Because the rules require disclosure of third-party risk oversight, maintain a real program for vetting and monitoring the vendors that could affect your systems and data.

Most of this is governance and process work, but it rests on a technical foundation that has to function continuously. Keeping that foundation and the surrounding documentation audit-ready throughout the year is the ongoing work that structured compliance and risk management services are built to support.

GlobeVM is a managed IT and cybersecurity firm providing managed IT services in Los Angeles and the surrounding area to small and mid-sized businesses, with CCSP-certified expertise and practical experience implementing the detection, response, and governance controls that disclosure regimes like the SEC's depend on. For businesses that want that technical foundation managed properly, incident readiness becomes genuine rather than theoretical, with the controls kept operating day to day.

If your company is publicly traded, preparing to go public, or serving public companies that now expect evidence of your security posture, a focused readiness assessment with a knowledgeable local partner is the most direct way to find out how far your current processes are from what these rules require.