What is SEC Cybersecurity Disclosure?
SEC cybersecurity disclosure rules (effective December 2023, adopted July 2023) require public companies to disclose material cybersecurity incidents on Form 8-K (Item 1.05) and describe cybersecurity risk management, strategy, and governance in annual 10-K reports (Items 106(b) and 106(c)).
The rules apply to all SEC registrants — public companies filing with the SEC. They represent the most significant federal cybersecurity disclosure mandate for public companies, creating enforceable requirements for both incident reporting and ongoing governance transparency.
Key Requirements
The SEC cybersecurity rules create two primary disclosure obligations with distinct timelines and scopes:
- Material Incident Disclosure (8-K) — disclose material cybersecurity incidents within 4 business days of materiality determination, describing the nature, scope, timing, and material impact
- Materiality Determination Process — establish and document a defined process for determining whether a cybersecurity incident is material to investors
- Annual Risk Management Disclosure (10-K) — describe cybersecurity risk management processes, including how risks are identified, assessed, and managed
- Board Oversight Disclosure — describe the board’s role in overseeing cybersecurity risk, including how and how frequently the board is informed
- Management Role Disclosure — describe management’s role in assessing and managing cybersecurity risk, including relevant expertise
- Third-Party Risk Disclosure — describe how cybersecurity risks from third-party service providers are assessed and managed
- Incident Response Integration — ensure incident response processes feed into the materiality determination and disclosure workflow
Disclosure Requirements Comparison
The rules create two distinct disclosure regimes with different triggers, timelines, and content requirements.
| Aspect | Form 8-K (Incident) | Form 10-K (Annual) |
|---|---|---|
| Trigger | Material cybersecurity incident determination | Annual reporting cycle |
| Timeline | 4 business days after materiality determination | Annual filing deadline |
| Content | Nature, scope, timing, material impact or likely impact | Risk management, strategy, governance, board oversight |
| Updates | Amended 8-K if information changes materially | Updated annually |
| Exemptions | National security / public safety delay (AG determination) | None for registrants |
Materiality Determination Framework
Materiality is the linchpin of incident disclosure. The SEC uses the traditional securities-law standard: information is material if a reasonable investor would consider it important in making an investment decision.
| Factor | Considerations |
|---|---|
| Financial Impact | Direct costs, remediation expenses, lost revenue, regulatory fines |
| Operational Impact | Business disruption, system downtime, data loss, service degradation |
| Reputational Impact | Customer trust, brand damage, market perception, competitive position |
| Legal/Regulatory Impact | Litigation risk, regulatory actions, contractual obligations, insurance |
| Data Sensitivity | Type and volume of data compromised, affected individuals, notification obligations |
Readiness Assessment Checklist
Before your next filing cycle, evaluate where your organization stands against these readiness questions:
- Is there a defined materiality determination process with clear roles, criteria, and escalation paths?
- Are 8-K filing procedures documented, including templates, review workflows, and the 4-business-day timeline?
- Has the 10-K cybersecurity disclosure been drafted or updated to describe risk management, strategy, and governance?
- Are board oversight mechanisms for cybersecurity risk documented, including frequency and format of briefings?
- Are management roles and cybersecurity expertise described in disclosure-ready language?
- Is third-party cybersecurity risk management described and integrated into the disclosure framework?
If you can’t confidently answer “yes” to most of these, a readiness sprint will get you there.
Next step: See our control domain breakdown to understand what the SEC expects across all disclosure areas, with evidence examples for each.