← Back to all briefings
Governance 7 min read Published Updated Credibility 92/100

SEC cybersecurity disclosure

The SEC’s July 2023 cybersecurity disclosure rules add Form 8-K Item 1.05 and Regulation S-K Item 106, demanding boards document oversight, management expertise, and DSAR-supporting incident controls before accelerated compliance dates hit in late 2023 and 2024.

Kodi C.

Editor & Research Lead

Editorially reviewed for factual accuracy

Governance pillar illustration for Zeph Tech briefings
Governance, ESG, and board reporting briefings

The U.S. Securities and Exchange Commission (SEC) voted 3–2 on to adopt final rules on cybersecurity risk management, strategy, governance, and incident disclosure. Codified primarily in new Regulation S-K Item 106 and Form 8-K Item 1.05, the rules require registrants to disclose material cybersecurity incidents within four business days of determining materiality and to provide detailed annual reporting on cyber oversight, program design, and management expertise. Foreign private issuers must provide analogous disclosure in Form 6-K and Form 20-F. Because the SEC resisted requests for long transition periods, public companies face compliance deadlines beginning in December 2023 for incident reporting and for fiscal years ending on or after for the annual governance narrative. Boards must immediately recalibrate oversight frameworks, coordinate with management to document escalation pathways, and confirm that DSAR processes, breach notification requirements, and investor communications move in lockstep.

The final rule defines a “cybersecurity incident” broadly to include unauthorized occurrences compromising information systems or data. A Form 8-K is due within four business days of concluding that the incident is material, though the SEC allows limited delays if the U.S. Attorney General determines disclosure would pose a significant risk to national security or public safety.

Item 106 of Regulation S-K requires annual discussion of processes for assessing, identifying, and managing material risks from cybersecurity threats; whether such risks have materially affected or are reasonably likely to affect business strategy, results of operations, or financial condition; and a description of the board’s oversight and management’s role. Companies must describe which management positions are responsible, how they report to the board, and how cybersecurity expertise is integrated into governance. These requirements accelerate the need for cross-functional documentation and auditable evidence that often overlaps with privacy and DSAR workflows, especially when incidents involve personal data.

Governance expectations for directors

Boards should first assess whether existing committee charters, calendars, and skills matrices satisfy the SEC’s transparency expectations. The rule does not mandate a dedicated cybersecurity expert on the board, but Item 106(c) compels companies to explain how the board oversees cyber risks and how frequently it receives briefings.

Directors should set up a cadence—at least quarterly—for reviewing incident trends, DSAR metrics, regulatory developments, and tabletop exercise outcomes. They must also insist that management can articulate how cybersecurity risk tolerances intersect with privacy obligations under state privacy statutes (such as the CCPA, CPA, and VCDPA) and sector-specific regulations (HIPAA, GLBA, NYDFS Part 500). Aligning these narratives ensures that the Form 10-K discussion is consistent with other regulatory filings and investor communications.

Audit committees should evaluate whether incident materiality determinations incorporate both financial thresholds and qualitative factors. The rule emphasizes qualitative considerations such as reputational harm, impact on operations, or effects on customers and vendors.

Boards can require management to maintain a documented methodology for materiality determinations, including triggers derived from DSAR backlogs, notifications to authorities, or cross-border data transfer implications. Because the SEC expects Form 8-K filings to focus on the incident’s nature, scope, timing, and material impact, teams must pre-draft templates that can be tailored quickly once counsel confirms materiality. Companies should also adopt disclosure controls and procedures (DCPs) that integrate incident response teams, privacy officers, investor relations, and legal to avoid inconsistent messaging.

Implementation roadmap for management

Management should implement the rules through a structured workplan running from Q3 2023 through 2024. The first milestone is to update incident response plans (IRPs) to capture the SEC’s four-business-day clock. IRPs should require early engagement with disclosure committees and capture the documentation necessary to justify materiality conclusions. Teams should run integrated exercises that include DSAR teams, since incident investigations often trigger access or deletion requests from affected individuals. The exercises should test the interplay between SEC disclosures, state breach notification laws, and contractual reporting obligations.

Next, companies must inventory the processes used to assess cyber risk across the enterprise. Item 106(b) requires registrants to describe whether they engage assessors, consultants, auditors, or other third parties in connection with cybersecurity risk management.

Management should catalog penetration tests, red-team operations, third-party risk programs, vulnerability management workflows, and privacy impact assessments. They should create evidence repositories—including policies, meeting minutes, and board decks—to substantiate the narrative that will appear in the Form 10-K. Where gaps exist, such as inconsistent DSAR reporting or limited vendor oversight, management should implement remediation plans with clear deadlines and owners.

Finally, teams must refine governance reporting. Many companies will route cyber oversight through audit or risk committees, while some may form dedicated cybersecurity committees. Whatever the structure, management needs to show how information flows to directors. This includes maintaining dashboards that show key risk indicators, DSAR completion times, ransomware readiness, privileged access management status, and alignment with frameworks such as NIST CSF 2.0 or ISO/IEC 27001:2022. Legal teams should reconcile this data with statements made in sustainability reports or ESG disclosures to avoid securities fraud risk arising from inconsistent messaging.

DSAR readiness and privacy alignment

Although the SEC rule centers on investor disclosure, it has significant implications for privacy teams and DSAR fulfillment. Incident narratives frequently involve personal data exposure; companies must ensure that DSAR systems can interface with incident management tools to identify affected records rapidly.

Privacy leaders should collaborate with security operations to map which systems feed DSAR responses and confirm that forensic containment actions—such as isolating compromised data stores or rotating credentials—do not inadvertently erase evidence needed to respond to DSARs or to evaluate ongoing risks. Documentation supporting SEC disclosures should include proof that individuals’ rights were honored, demonstrating that the company balanced transparency with regulatory obligations under privacy statutes.

Teams should also prepare for increased DSAR volumes following incident announcements. Investor and consumer trust can erode quickly; providing accurate, timely DSAR responses helps show control. Companies can establish surge protocols that prioritize DSARs from jurisdictions with strict timelines (for example, the EU GDPR’s one-month requirement) and integrate notification scripts that reference the same facts disclosed in Form 8-K filings. Privacy officers should ensure that suppression of breach details (when permitted by the Attorney General delay) does not conflict with obligations to inform data subjects or regulators abroad, especially if the incident involves EU or UK residents.

  • Evidence collection. Maintain immutable logs showing when DSARs were received, how identity verification was performed, and when responses were issued. This evidence can show to the SEC and other regulators that customer communications were accurate and timely.
  • Vendor coordination. Third-party service providers are often the source of material incidents. Contracts should require partners to support accelerated DSAR fulfillment, share forensic findings, and cooperate with disclosure committees. Review cybersecurity questionnaires to ensure they cover SEC reporting expectations and privacy response capabilities.
  • Data minimization. The rule encourages companies to assess how cybersecurity risks could materially affect operations. Privacy teams can assist by validating that data minimization and retention policies reduce the “blast radius” of breaches, lowering the likelihood that an incident becomes material. These controls can be highlighted in annual disclosures as part of the risk management narrative.

Operational nuances and sector considerations

Financial institutions subject to Regulation S-P, NYDFS Part 500, or banking agency incident rules must harmonize overlapping obligations. For example, banking regulators require notification within 36 hours of certain incidents, and NYDFS now mandates 72-hour reporting. Companies should align these timelines with the SEC’s materiality determination process, establishing a single intake workflow that triggers all applicable notifications—including DSAR communications—without duplicating effort. Healthcare entities governed by HIPAA must reconcile breach notification content with SEC filings, ensuring the detail provided to patients and regulators is consistent with investor disclosures.

Global companies should assess how the SEC rule interacts with other capital market expectations. The Canadian Securities Administrators and European Securities and Markets Authority are watching U.S. developments closely. Multinationals listed abroad should evaluate whether their foreign filings need to incorporate SEC-style transparency, particularly regarding governance structures and management expertise. DSAR teams operating across jurisdictions must coordinate messaging so that EU Data Protection Authorities, the UK ICO, and other regulators receive consistent incident narratives.

Actionable next steps

To meet the looming deadlines, companies can structure their setup program in phases:

  1. Assessment (Q3 2023). Conduct a readiness assessment covering incident response, disclosure controls, board reporting, DSAR integration, and documentation. Identify gaps in policies, charters, and evidence.
  2. Execution (Q4 2023). Update IRPs, run cross-functional exercises, revise committee calendars, and implement dashboard reporting. Ensure technology platforms (GRC tools, DSAR portals, SIEM systems) can generate artifacts to support Form 8-K and 10-K disclosures.
  3. Operationalisation (2024). Embed the new processes into routine operations. Internal audit should test control effectiveness, while legal and investor relations rehearse messaging. Privacy teams should measure DSAR turnaround time during incident simulations and feed lessons learned into board updates.

By addressing governance, setup, and DSAR dependencies together, registrants can transform the SEC’s rule from a compliance hurdle into a catalyst for stronger enterprise risk management. Transparent reporting backed by disciplined execution will reduce enforcement risk, sustain investor confidence, and show to regulators worldwide that the organization treats cybersecurity and data rights as core fiduciary responsibilities.

You may also find useful

Hand-picked articles on adjacent topics.

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Board Oversight Governance Blueprint

    Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

  • Third-Party Governance Control Blueprint

    Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

  • Public-Sector Governance Alignment Playbook

    Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published
Coverage pillar
Governance
Source credibility
92/100 — high confidence
Topics
SEC cybersecurity disclosure · Incident reporting · Board oversight · Cyber risk governance
Sources cited
3 sources (sec.gov, iso.org)
Reading time
7 min

Documentation

  1. SEC press release on cybersecurity disclosure adoption — U.S. Securities and Exchange Commission
  2. Final rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure — U.S. Securities and Exchange Commission
  3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization
  • SEC cybersecurity disclosure
  • Incident reporting
  • Board oversight
  • Cyber risk governance
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.