← Back to all briefings

Cybersecurity · Credibility 100/100 · · 6 min read

Cybersecurity Briefing — December 18, 2023

The SEC’s cybersecurity disclosure rules now in force require public companies to report material incidents on Form 8-K Item 1.05 within four business days and describe risk governance in annual filings.

Executive briefing: December 18, 2023 marked the effective date of the U.S. Securities and Exchange Commission’s cybersecurity disclosure rules adopted in July 2023. Public companies must now disclose material cybersecurity incidents on Form 8-K Item 1.05 within four business days of determining materiality and outline risk management, strategy, and governance practices in Form 10-K and 10-Q filings under new Regulation S-K Item 106.

Key industry signals

  • Materiality clocks start immediately. Registrants need documented procedures to reach a materiality decision quickly, even when law enforcement requests confidentiality.
  • Board oversight transparency. Annual filings must describe the board’s role in supervising cybersecurity risk, management expertise, and reporting cadence.
  • Strategy disclosure. Companies must explain how they assess, identify, and manage cybersecurity threats, including use of third-party service providers and insurance.

Control alignment

  • Regulation S-K Item 106. Align governance narratives with documented risk registers, incident response plans, and third-party oversight artefacts.
  • Form 8-K Item 1.05. Ensure incident response runbooks capture the facts required for disclosure—incident nature, scope, timing, and material impact.
  • NIST CSF 1.1. Use the Identify, Detect, Respond, and Recover functions to evidence the programs cited in SEC filings and support Sarbanes-Oxley certifications.

Detection and response priorities

  • Embed disclosure decision checkpoints within incident response playbooks so legal, security, finance, and investor relations teams record deliberations.
  • Instrument case management systems to timestamp discovery, materiality determinations, and Form 8-K drafting milestones.
  • Validate that third-party service level agreements include breach notification timelines and evidentiary access that support SEC reporting.

Enablement moves

  • Train directors and executives on new disclosure expectations, including how the SEC will review governance narratives and follow-up comment letters.
  • Update disclosure controls and procedures (DCPs) so cybersecurity incident data flows into quarterly certifications.
  • Coordinate with insurers and outside counsel to reconcile incident playbooks with privilege, preservation, and ransom payment restrictions.

Zeph Tech analysis

  • Materiality discipline becomes auditable. The SEC will compare Form 8-K language with internal timelines, making informal decision paths risky.
  • Vendor transparency pressures rise. Boards must now explain how they oversee third-party risk, driving demand for attestations and integrated telemetry.
  • Comment letters loom. Early filings will likely attract SEC questions—programmes lacking documented governance or measurable outcomes will be flagged.

Zeph Tech is helping registrants rehearse disclosure tabletop exercises and benchmark governance narratives against peer filings ahead of the 2024 Form 10-K season.

  • SEC cybersecurity disclosure rule
  • Regulation S-K Item 106
  • Form 8-K Item 1.05
  • NIST CSF
Back to curated briefings