← Back to all briefings

Governance · Credibility 92/100 · · 2 min read

Governance Briefing — July 26, 2023

The U.S. Securities and Exchange Commission adopted cybersecurity disclosure rules on July 26, 2023, mandating four-business-day reporting of material incidents and annual descriptions of cyber risk management and board oversight.

Executive briefing: On 26 July 2023 the U.S. Securities and Exchange Commission (SEC) finalised rules requiring registrants to disclose material cybersecurity incidents on Form 8-K within four business days and to provide annual reporting on cybersecurity risk management, strategy, and governance. The rule amends Regulation S-K Item 106 and Form 20-F, compelling boards to explain oversight structures and management expertise for cybersecurity.

What changed

  • Mandatory incident reporting. Companies must file new Item 1.05 on Form 8-K detailing material cybersecurity incidents, the incident’s scope, timing, and impact, subject to narrow national-security delays.
  • Annual governance disclosures. Registrants must describe board oversight, management roles, and governance processes for assessing, identifying, and managing cyber risks.
  • Foreign private issuer alignment. Form 20-F gains parallel requirements, and Form 6-K now triggers for material cyber incidents reported abroad.

Implications for operators

  • Public sector-linked issuers. Utilities, transport agencies, and government-sponsored entities must align incident response with SEC timing while coordinating with national-security agencies.
  • Financial institutions. Banks and broker-dealers need to harmonise SEC filings with prudential incident notification rules, ensuring board risk committees can reconcile timelines.
  • Technology and data-intensive companies. Tech firms must integrate incident response playbooks, cyber risk registers, and board dashboards to meet disclosure precision requirements.

Action checklist

  • Rehearse Form 8-K drafting workflows with legal, security, and investor-relations teams to meet four-business-day deadlines.
  • Update board committee charters and annual reporting templates to cover cyber risk oversight narratives and management expertise.
  • Align third-party risk assessments and incident contracts with disclosure triggers and regulator coordination protocols.

Sources

Zeph Tech equips boards and CISOs with incident disclosure rehearsals, governance metrics, and cross-regulator coordination plans for the SEC’s cybersecurity rule.

  • SEC cybersecurity disclosure
  • Incident reporting
  • Board oversight
  • Cyber risk governance
Back to curated briefings