← Back to all briefings

Cybersecurity · Credibility 100/100 · · 5 min read

Cybersecurity Briefing — July 26, 2024

SEC staff published a sample comment letter reminding registrants how to comply with the 2023 cybersecurity disclosure rules, highlighting expectations for 8-K incident reports and governance narratives.

Executive briefing: On July 26, 2024 the SEC Division of Corporation Finance released a sample comment letter addressing the cybersecurity disclosure rules that took effect in December 2023. The letter shows how staff will question Item 1.05 Form 8-K filings and Regulation S-K Item 106 disclosures when risk management, oversight, or incident updates appear incomplete.

Key industry signals

  • Timely incident reporting. Staff expect registrants to disclose material incidents within four business days and to describe ongoing impacts and remediation progress in subsequent filings.
  • Board oversight detail. Companies must explain how the board and relevant committees supervise cybersecurity risk, including reporting cadence, expertise, and escalation criteria.
  • Risk management clarity. Registrants should describe third-party assessments, threat intelligence usage, and how cybersecurity fits into enterprise risk management, not just list generic controls.

Control alignment

  • Regulation S-K Item 106(b). Document the processes used to assess, identify, and manage material risks from cybersecurity threats, and ensure disclosures match operating reality.
  • Regulation S-K Item 106(c). Capture board oversight, management roles, and reporting structures in governance charters and dashboards.
  • Form 8-K Item 1.05. Maintain incident response runbooks that support timely materiality assessments and draft disclosures within the four-business-day window.

Detection and response priorities

  • Audit incident response records, including decision logs for materiality determinations and the timing of board notifications.
  • Link vulnerability management, threat intelligence, and third-party risk data to disclosure readiness so filings reflect live risk posture.
  • Track remediation commitments made in public statements and ensure operations teams close them before the next periodic report.

Enablement moves

  • Brief disclosure committees on the sample comment letter and align legal, security, and investor relations on response procedures.
  • Update board materials with threat trend summaries, risk quantification, and evidence of tabletop exercises covering the four-business-day deadline.
  • Require service providers handling regulated data to surface incident notification SLAs that support registrant reporting duties.

Zeph Tech analysis

  • Expect more correspondence. The staff letter signals broad reviews this filing season, so registrants should rehearse how they would answer each sample question.
  • Metrics matter. Governance disclosures should cite concrete indicators—mean time to detect, percentage of suppliers with independent assessments, tabletop frequency—rather than vague statements.
  • Cross-team choreography. Investor relations, legal, communications, and security must align on messaging sequences to avoid inconsistent public updates.

Zeph Tech is mapping the SEC comment themes to NIST CSF 2.0 and FFIEC Cybersecurity Assessment Tool practices so registrants can evidence readiness during examinations.

  • SEC cybersecurity disclosure rules
  • Regulation S-K Item 106
  • Form 8-K Item 1.05
  • NIST CSF 2.0
Back to curated briefings