Governance Briefing — July 26, 2023

The U.S. Securities and Exchange Commission (SEC) voted 3–2 on 26 July 2023 to adopt final rules on cybersecurity risk management, strategy, governance, and incident disclosure. Codified primarily in new Regulation S-K Item 106 and Form 8-K Item 1.05, the rules require registrants to disclose material cybersecurity incidents within four business days of determining materiality and to provide detailed annual reporting on cyber oversight, program design, and management expertise. Foreign private issuers must provide analogous disclosure in Form 6-K and Form 20-F. Because the SEC resisted requests for long transition periods, public companies face compliance deadlines beginning in December 2023 for incident reporting and for fiscal years ending on or after 15 December 2023 for the annual governance narrative. Boards must immediately recalibrate oversight frameworks, coordinate with management to document escalation pathways, and confirm that DSAR processes, breach notification requirements, and investor communications move in lockstep.

The final rule defines a “cybersecurity incident” broadly to include unauthorised occurrences compromising information systems or data. A Form 8-K is due within four business days of concluding that the incident is material, though the SEC allows limited delays if the U.S. Attorney General determines disclosure would pose a substantial risk to national security or public safety. Item 106 of Regulation S-K requires annual discussion of processes for assessing, identifying, and managing material risks from cybersecurity threats; whether such risks have materially affected or are reasonably likely to affect business strategy, results of operations, or financial condition; and a description of the board’s oversight and management’s role. Companies must describe which management positions are responsible, how they report to the board, and how cybersecurity expertise is integrated into governance. These requirements accelerate the need for cross-functional documentation and auditable evidence that often overlaps with privacy and DSAR workflows, especially when incidents involve personal data.

Governance expectations for directors

Boards should first assess whether existing committee charters, calendars, and skills matrices satisfy the SEC’s transparency expectations. The rule does not mandate a dedicated cybersecurity expert on the board, but Item 106(c) compels companies to explain how the board oversees cyber risks and how frequently it receives briefings. Directors should establish a cadence—at least quarterly—for reviewing incident trends, DSAR metrics, regulatory developments, and tabletop exercise outcomes. They must also insist that management can articulate how cybersecurity risk tolerances intersect with privacy obligations under state privacy statutes (such as the CCPA, CPA, and VCDPA) and sector-specific regulations (HIPAA, GLBA, NYDFS Part 500). Aligning these narratives ensures that the Form 10-K discussion is consistent with other regulatory filings and investor communications.

Audit committees should evaluate whether incident materiality determinations incorporate both financial thresholds and qualitative factors. The rule emphasises qualitative considerations such as reputational harm, impact on operations, or effects on customers and vendors. Boards can require management to maintain a documented methodology for materiality determinations, including triggers derived from DSAR backlogs, notifications to authorities, or cross-border data transfer implications. Because the SEC expects Form 8-K filings to focus on the incident’s nature, scope, timing, and material impact, organisations must pre-draft templates that can be tailored quickly once counsel confirms materiality. Companies should also adopt disclosure controls and procedures (DCPs) that integrate incident response teams, privacy officers, investor relations, and legal to avoid inconsistent messaging.

Implementation roadmap for management

Management should implement the rules through a structured workplan running from Q3 2023 through 2024. The first milestone is to update incident response plans (IRPs) to capture the SEC’s four-business-day clock. IRPs should require early engagement with disclosure committees and capture the documentation necessary to justify materiality conclusions. Organisations should run integrated exercises that include DSAR teams, since incident investigations often trigger access or deletion requests from affected individuals. The exercises should test the interplay between SEC disclosures, state breach notification laws, and contractual reporting obligations.

Next, companies must inventory the processes used to assess cyber risk across the enterprise. Item 106(b) requires registrants to describe whether they engage assessors, consultants, auditors, or other third parties in connection with cybersecurity risk management. Management should catalogue penetration tests, red-team operations, third-party risk programmes, vulnerability management workflows, and privacy impact assessments. They should create evidence repositories—including policies, meeting minutes, and board decks—to substantiate the narrative that will appear in the Form 10-K. Where gaps exist, such as inconsistent DSAR reporting or limited vendor oversight, management should implement remediation plans with clear deadlines and owners.

Finally, organisations must refine governance reporting. Many companies will route cyber oversight through audit or risk committees, while some may form dedicated cybersecurity committees. Whatever the structure, management needs to demonstrate how information flows to directors. This includes maintaining dashboards that show key risk indicators, DSAR completion times, ransomware readiness, privileged access management status, and alignment with frameworks such as NIST CSF 2.0 or ISO/IEC 27001:2022. Legal teams should reconcile this data with statements made in sustainability reports or ESG disclosures to avoid securities fraud risk arising from inconsistent messaging.

DSAR readiness and privacy alignment

Although the SEC rule centres on investor disclosure, it has significant implications for privacy teams and DSAR fulfilment. Incident narratives frequently involve personal data exposure; companies must ensure that DSAR systems can interface with incident management tools to identify affected records rapidly. Privacy leaders should collaborate with security operations to map which systems feed DSAR responses and confirm that forensic containment actions—such as isolating compromised data stores or rotating credentials—do not inadvertently erase evidence needed to respond to DSARs or to evaluate ongoing risks. Documentation supporting SEC disclosures should include proof that individuals’ rights were honoured, demonstrating that the company balanced transparency with regulatory obligations under privacy statutes.

Organisations should also prepare for increased DSAR volumes following incident announcements. Investor and consumer trust can erode quickly; providing accurate, timely DSAR responses helps demonstrate control. Companies can establish surge protocols that prioritise DSARs from jurisdictions with strict timelines (for example, the EU GDPR’s one-month requirement) and integrate notification scripts that reference the same facts disclosed in Form 8-K filings. Privacy officers should ensure that suppression of breach details (when permitted by the Attorney General delay) does not conflict with obligations to inform data subjects or regulators abroad, especially if the incident involves EU or UK residents.

• Evidence collection. Maintain immutable logs showing when DSARs were received, how identity verification was performed, and when responses were issued. This evidence can demonstrate to the SEC and other regulators that customer communications were accurate and timely.
• Vendor coordination. Third-party service providers are often the source of material incidents. Contracts should require partners to support accelerated DSAR fulfilment, share forensic findings, and cooperate with disclosure committees. Review cybersecurity questionnaires to ensure they cover SEC reporting expectations and privacy response capabilities.
• Data minimisation. The rule encourages companies to assess how cybersecurity risks could materially affect operations. Privacy teams can assist by validating that data minimisation and retention policies reduce the “blast radius” of breaches, lowering the likelihood that an incident becomes material. These controls can be highlighted in annual disclosures as part of the risk management narrative.

Operational nuances and sector considerations

Financial institutions subject to Regulation S-P, NYDFS Part 500, or banking agency incident rules must harmonise overlapping obligations. For example, banking regulators require notification within 36 hours of certain incidents, and NYDFS now mandates 72-hour reporting. Companies should align these timelines with the SEC’s materiality determination process, establishing a single intake workflow that triggers all applicable notifications—including DSAR communications—without duplicating effort. Healthcare entities governed by HIPAA must reconcile breach notification content with SEC filings, ensuring the detail provided to patients and regulators is consistent with investor disclosures.

Global companies should assess how the SEC rule interacts with other capital market expectations. The Canadian Securities Administrators and European Securities and Markets Authority are watching U.S. developments closely. Multinationals listed abroad should evaluate whether their foreign filings need to incorporate SEC-style transparency, particularly regarding governance structures and management expertise. DSAR teams operating across jurisdictions must coordinate messaging so that EU Data Protection Authorities, the UK ICO, and other regulators receive consistent incident narratives.

Actionable next steps

To meet the looming deadlines, companies can structure their implementation programme in phases:

1. Assessment (Q3 2023). Conduct a readiness assessment covering incident response, disclosure controls, board reporting, DSAR integration, and documentation. Identify gaps in policies, charters, and evidence.
2. Execution (Q4 2023). Update IRPs, run cross-functional exercises, revise committee calendars, and implement dashboard reporting. Ensure technology platforms (GRC tools, DSAR portals, SIEM systems) can generate artefacts to support Form 8-K and 10-K disclosures.
3. Operationalisation (2024). Embed the new processes into routine operations. Internal audit should test control effectiveness, while legal and investor relations rehearse messaging. Privacy teams should measure DSAR turnaround time during incident simulations and feed lessons learned into board updates.

By addressing governance, implementation, and DSAR dependencies together, registrants can transform the SEC’s rule from a compliance hurdle into a catalyst for stronger enterprise risk management. Transparent reporting backed by disciplined execution will reduce enforcement risk, sustain investor confidence, and demonstrate to regulators worldwide that the organisation treats cybersecurity and data rights as core fiduciary responsibilities.