Compliance Briefing — SEC Adopts Final Cybersecurity Disclosure Rules
On 26 July 2023 the U.S. SEC adopted rules requiring public companies to disclose material cybersecurity incidents within four business days and to detail cyber risk governance in annual reports.
The U.S. Securities and Exchange Commission finalized cybersecurity disclosure rules on 26 July 2023. Registrants must file an Item 1.05 Form 8-K within four business days of determining that a cyber incident is material, describing the nature, scope, timing, and likely impact. Annual reports on Form 10-K now require information on cybersecurity risk management, strategy, and board oversight.
Compliance dates begin in December 2023 for large companies, with smaller reporting companies following in 2024. CISOs and legal teams should formalize materiality assessment processes, board reporting, and escalation playbooks to meet the accelerated filing timeline.
- SEC press release summarizes the final rule and phase-in schedule.
- Final rule text provides detailed disclosure requirements and compliance dates.
Continue in the Compliance pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Third-Party Risk Oversight Playbook — Zeph Tech
Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.
-
Compliance Operations Control Room — Zeph Tech
Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.
-
SOX Modernization Control Playbook — Zeph Tech
Modernize Sarbanes-Oxley (SOX) compliance by aligning PCAOB AS 2201, SEC management guidance, and COSO 2013 controls with data-driven testing, automation, and board reporting.