SEC Finalises Public Company Cybersecurity Disclosure Rule — July 26, 2023

Executive briefing: On 26 July 2023 the U.S. Securities and Exchange Commission (SEC) voted to adopt final rules on cybersecurity risk management, strategy, governance, and incident disclosure for public companies. Registrants must report material cyber incidents on Form 8-K within four business days of determining materiality, and starting with fiscal years ending on or after 15 December 2023, include detailed governance narratives in Form 10-K.

Key requirements for issuers

Incident reporting. Companies must describe the nature, scope, timing, and material impact of a cyber incident, with limited delay allowances for national security or public safety.
Governance transparency. Annual disclosures must explain board oversight of cyber risk, management’s role, and the processes used to assess, identify, and manage cybersecurity threats.
Risk management discussion. Filings need to address whether cybersecurity is integrated into enterprise risk management and supply-chain oversight.

Control alignment guidance

SOX 302/404. Align disclosure controls with security operations workflows so materiality determinations and escalation procedures are documented and auditable.
NIST CSF GV. Prepare board-level reporting dashboards mapping cyber metrics, risk tolerance, and remediation progress for inclusion in annual disclosures.
ISO/IEC 27001 A.6. Define clear roles and responsibilities for executive cyber risk ownership that match the narrative commitments in Form 10-K.

Operational recommendations

Run legal-led simulations covering the four-business-day Form 8-K clock, including engagement with law enforcement and regulators when seeking delayed disclosure.
Update incident response plans to document materiality criteria and required evidence for audit committee and disclosure committee review.
Coordinate investor relations, finance, and cyber teams to integrate cyber risk metrics into quarterly and annual reporting cycles.