Cybersecurity Disclosures: New SEC Rules for Public Companies

Public companies in the United States operate under a new standard of transparency regarding digital threats. The Securities and Exchange Commission (SEC) adopted rules in July 2023 that mandate how and when companies must report cybersecurity incidents. For investors and business leaders, understanding these requirements is critical. The days of quietly managing a major data breach behind closed doors are over.

The Four-Day Reporting Mandate

The most significant change introduced by the SEC involves the speed of reporting. Under the new rules, public companies must disclose a “material” cybersecurity incident within four business days. This disclosure is made by filing a Form 8-K with the SEC specifically under the new Item 1.05.

It is vital to understand when this clock starts ticking. The four-day window does not begin the moment a hacker enters the system. Instead, it begins once the company determines the incident is “material.”

What Counts as “Material”?

The SEC defines materiality based on how a reasonable investor would view the information. If the incident is likely to affect the company’s stock price, financial condition, or shareholder decision-making, it is material.

Factors that determine materiality include:

  • Financial Impact: Theft of funds, ransom payments, or loss of revenue due to operational downtime.
  • Data Sensitivity: Loss of intellectual property or sensitive customer data (PII).
  • Reputation: Damage to brand integrity that could lead to customer churn.
  • Legal Consequences: Potential for class-action lawsuits or regulatory fines.

For example, when Clorox faced a cyberattack in August 2023, the operational disruption was significant enough to impact quarterly earnings. Under the new rules, such an impact forces a public filing.

Annual Strategy and Governance Disclosures

While the four-day rule covers immediate crises, the SEC also wants to know how companies prevent them in the first place. The new rules amended Regulation S-K Item 106, requiring companies to detail their cybersecurity risk management and governance in their annual Form 10-K reports.

This requirement forces transparency regarding the Board of Directors and management. Companies must now answer:

  • Oversight: Which board committee is responsible for cybersecurity?
  • Expertise: Does the management team have adequate technical knowledge to assess risks?
  • Integration: How is cybersecurity integrated into the company’s overall business strategy?
  • Processes: What processes are in place to identify and manage material risks from third-party service providers?

Investors can now look at a company’s annual report to see if they treat cybersecurity as a technical IT issue or a core business risk.

Exceptions for National Security

There is one major exception to the four-day reporting rule. If the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety, the reporting deadline can be delayed.

This is a high bar to clear. A company cannot simply claim a delay is necessary for their own internal investigation. They must notify the SEC and obtain a specific determination from the Attorney General. The initial delay can last up to 30 days and may be extended in specific increments if the risk persists. This prevents adversaries from learning that a breach has been detected while law enforcement (such as the FBI) is conducting active counter-operations.

Compliance Dates and Implementation

The transition to these rules happened quickly.

  • Large Public Companies: Most registrants had to begin complying with the incident disclosure requirements (Form 8-K) starting December 18, 2023.
  • Smaller Reporting Companies: Smaller firms were given an extension, with compliance required by June 15, 2024.
  • Annual Reports: The requirements for strategy and governance disclosures in annual reports (Form 10-K) applied to fiscal years ending on or after December 15, 2023.

Impact on Corporate Behavior

These regulations have already shifted corporate behavior. We saw this with high-profile breaches involving companies like MGM Resorts and Caesars Entertainment. The requirement to disclose forces companies to involve legal and financial teams much earlier in the incident response process.

Previously, IT security teams might have focused solely on containment. Now, they must work simultaneously with legal counsel to assess “materiality” in real-time. This creates pressure to understand the scope of an attack quickly. If a company delays the materiality determination without justification, they risk SEC enforcement actions.

For investors, this provides a clearer picture of risk. Before these rules, inconsistent reporting made it difficult to compare how different companies handled cyber threats. Now, the standardized Form 8-K filings allow the market to react to news with accurate information rather than rumors.

What Information Must Be Disclosed?

When filing the Form 8-K, the company does not need to reveal specific technical details that would help hackers conduct further attacks. For instance, they do not need to list the specific software vulnerability or the exact code used in the exploit.

However, they must describe:

  • The nature and scope of the incident.
  • The timing of the incident.
  • The material impact (or reasonably likely material impact) on the company.

The goal is to inform the shareholder, not to provide a blueprint for other cybercriminals.

Frequently Asked Questions

Does this apply to private companies?

No. These rules specifically apply to public companies (registrants) subject to the reporting requirements of the Securities Exchange Act of 1934. However, private companies looking to go public (IPO) will need to ensure their cybersecurity governance meets these standards before listing.

What happens if a company fails to report within four days?

Failure to comply violates Section 13(a) of the Exchange Act. This can lead to SEC investigations, substantial financial penalties, and enforcement actions. Additionally, failing to disclose material information can open the company up to shareholder lawsuits.

Can a company correct a disclosure later?

Yes. The SEC recognizes that information evolves during an investigation. If a company files a Form 8-K and later discovers the impact is different than originally thought, they can (and should) file an amendment to update the disclosure with new facts.

Does the rule cover third-party breaches?

Yes. If a third-party vendor (like a cloud provider or payroll processor) is hacked and it has a material impact on the registrant, the public company must still report it. The focus is on the impact to the registrant, regardless of where the breach originated.