Compliance Briefing — July 26, 2023

When the U.S. Securities and Exchange Commission finalised its cybersecurity disclosure rule on 26 July 2023, public companies gained a definitive playbook for how the agency expects them to discuss cyber resilience. The rule adds Item 1.05 to Form 8-K, compelling disclosure of material cybersecurity incidents within four business days of determining materiality, and inserts Item 106 into Regulation S-K, obliging registrants to describe risk assessment processes, third-party oversight, and board and management governance. Unlike prior guidance, the rule sets specific compliance dates: most registrants must begin filing Item 1.05 disclosures by 18 December 2023, while smaller reporting companies have until 15 June 2024. Annual Form 10-K disclosures under Item 106 apply to fiscal years ending on or after 15 December 2023. This timeline demands immediate coordination across legal, security, privacy, finance, and investor relations teams.

Implementation requires more than adding new paragraphs to filings. The SEC expects issuers to explain how they assess materiality, identify third-party contributions to risk, integrate cyber expertise into governance structures, and respond to past incidents. The Commission emphasised that boilerplate language will invite enforcement scrutiny. Therefore, registrants need detailed evidence—policy documents, risk assessments, DSAR logs, incident playbooks, board minutes—to substantiate every statement made to investors. Because DSAR fulfilment and breach notification activities often run parallel to incident investigation, companies must ensure those processes are synchronised with disclosure controls so that messaging and timing remain coherent.

Building a compliance workstream

Most companies will follow a phased approach: diagnostic, remediation, rehearsal, and continuous improvement. During the diagnostic phase, legal and security teams should map existing disclosure controls and procedures (DCPs), identifying where cybersecurity information enters the reporting pipeline. They must confirm whether material incidents are escalated to the disclosure committee or C-suite quickly enough to leave four business days for drafting and filing a Form 8-K. The diagnostic should inventory DSAR processes, state breach notification obligations, contractual reporting commitments, and sector-specific rules to ensure the company recognises all triggers that might influence materiality.

Remediation centres on updating policies and assigning owners. Organisations should revise incident response plans to include explicit decision points for SEC disclosure, designate alternates for key roles to handle holidays and weekends, and document interactions with law enforcement should a delay request to the Attorney General be necessary. Procurement leaders need to ensure vendor contracts mandate timely incident notification, cooperation with investigations, and support for DSAR surges. Privacy officers must verify that DSAR systems can extract accurate datasets even when production systems are quarantined or forensic imaging is underway.

Rehearsal is critical. Companies should conduct tabletop exercises featuring scenarios where a ransomware attack or supply-chain compromise is determined to be material. These exercises should include legal, investor relations, public relations, CISO leadership, privacy officers, and DSAR coordinators. The team should practice drafting Form 8-K language that meets Item 1.05’s requirements—describing the incident’s nature, scope, timing, and material impact or reasonably likely effects—without disclosing technical details that could jeopardise remediation. Exercises must also test the interplay with DSAR commitments: how will the company respond if a data subject requests access to compromised records while an investigation is ongoing? What messaging will be provided to employees or customers whose data was affected?

During continuous improvement, internal audit and compliance analytics should monitor metrics such as incident detection-to-disclosure time, DSAR backlog, and frequency of board briefings. Lessons learned from actual incidents or near misses should feed into updates to the Form 10-K narrative, ensuring the disclosure remains dynamic rather than static boilerplate.

Detailed disclosure requirements

Item 106(b) of Regulation S-K asks companies to describe their processes for assessing and managing material cybersecurity risks, including whether they use third-party service providers. The SEC expects specificity about methodologies—risk scoring frameworks, vulnerability management cadence, penetration testing frequency, secure software development practices, and vendor assessments. Companies should outline how results feed into enterprise risk management (ERM) and how findings influence strategic decisions. Item 106(c) then requires a description of board oversight and management’s role. This includes identifying committees responsible for cybersecurity, frequency of updates, and how management monitors prevention, detection, mitigation, and remediation of cybersecurity incidents. Firms with dedicated cybersecurity or technology committees should highlight charters, expertise, and reporting structures. Others should demonstrate that audit or risk committees have integrated cyber skills and allocate sufficient agenda time.

Issuers should ensure the narrative matches operational reality. If the Form 10-K claims the company uses the NIST Cybersecurity Framework, auditors may request documentation of framework alignment, risk assessments, and maturity scores. If the company states that DSAR metrics inform materiality judgments, it must maintain the dashboards and logs to prove it. The SEC has signalled through enforcement actions (e.g., SolarWinds, Pearson) that inconsistencies between marketing materials and actual practices will attract charges.

Coordinating with DSAR and privacy teams

Privacy programmes manage data inventories, classification, and access rights—information essential to understanding the scope of a cyber incident. Companies should integrate DSAR platforms with incident management systems (e.g., SOAR, ticketing tools) to expedite discovery of impacted records. During an incident, privacy teams can help determine whether personal data of customers, employees, or vendors was compromised, influencing materiality analysis. They also handle regulator notifications in jurisdictions with strict privacy laws, which may need to align with SEC disclosures. For example, if EU residents’ data is affected, the company must notify EU supervisory authorities within 72 hours and may have to inform data subjects promptly. The details shared with EU regulators should not contradict U.S. investor messaging.

DSAR teams should prepare for elevated volume after public disclosures. Incident-related DSARs often include requests for investigation findings, copies of personal data exposed, or deletion of compromised records. Privacy officers must set expectations: some information may be exempt from DSAR responses if its disclosure would adversely affect security or ongoing investigations. However, these exemptions must be documented and, where possible, accompanied by alternative transparency measures. Training frontline staff is crucial so they can explain DSAR limitations without making misleading statements.

• Retention and legal holds. Incident investigations typically trigger legal holds. DSAR and privacy teams must coordinate with legal to ensure they do not delete data relevant to litigation or regulatory requests while still meeting statutory deadlines for DSAR responses.
• Cross-border data flows. Many organisations rely on global security operations centres or cloud providers located abroad. Companies must map how personal data moves during detection and response, confirming that standard contractual clauses, binding corporate rules, or data transfer impact assessments remain valid even when forensic teams access data from multiple jurisdictions.
• Metrics integration. Establish dashboards that combine DSAR metrics (average completion time, backlog, exceptions) with incident response metrics (mean time to detect, mean time to contain) to give the board a holistic view of customer impact. These dashboards support the Item 106 narrative about management oversight.

Sector-specific considerations

Technology companies with large SaaS footprints face unique challenges: multi-tenant architectures can complicate scoping, and contractual obligations often require notifying customers before public disclosure. Companies should create response tiers reflecting severity and customer segmentation, aligning them with the SEC timeline. Healthcare and life sciences entities must coordinate HIPAA breach notification, FDA postmarket surveillance, and SEC filings, ensuring that patient communications align with investor statements. Energy and critical infrastructure operators should align SEC reporting with Department of Homeland Security or Department of Energy directives and ensure that participation in Information Sharing and Analysis Centers does not inadvertently release material nonpublic information prematurely.

Foreign private issuers must adapt the rule to local contexts. Form 6-K reports material information that is made public in the home jurisdiction; FPIs will need to ensure their home-country incident disclosures are timely and consider whether to voluntarily adopt Form 8-K practices to maintain comparability. FPIs should also align DSAR obligations under GDPR or other local privacy regimes with SEC expectations, maintaining bilingual disclosure templates when necessary.

Program governance and continuous oversight

Senior leadership should oversee implementation through a steering committee chaired by the CFO, General Counsel, or Chief Risk Officer. The committee can maintain a register of required artefacts: updated incident response plan, disclosure escalation matrix, DSAR surge procedure, board education materials, and third-party risk documentation. Quarterly, the committee should review regulatory developments (such as SEC Staff guidance, PCAOB inspection focus areas, or state privacy law amendments) and adjust disclosures accordingly. Internal audit or an external adviser can conduct mock SEC comment-letter reviews to test the clarity and completeness of draft Item 106 narratives.

Investor relations teams should develop communications aligned with the new disclosures. That includes Q&A documents for earnings calls, talking points for customer success teams, and FAQs for employees. Messaging should emphasise improvements made in response to incidents, investments in secure-by-design practices, and the organisation’s commitment to respecting privacy rights. This transparency, backed by demonstrable controls, can mitigate litigation risk and build stakeholder trust.

Ultimately, complying with the SEC’s cybersecurity disclosure rule requires an integrated governance approach. By establishing clear accountability, aligning DSAR and privacy operations with incident response, and documenting risk management practices in detail, companies can meet regulatory expectations and enhance resilience. The process demands sustained attention but offers an opportunity to elevate cybersecurity to a core element of corporate strategy and fiduciary duty.