• Item 1.05 of Form 8-K, added by the rule, compels registrants to disclose material cybersecurity incidents within four business days of determining materiality, including the incident’s nature, scope, timing, and reasonably likely material impact. Disclosure committees should pair forensic timelines with quantified business effects so the Form 8-K can be filed immediately after the materiality decision instead of waiting on remediation completion.
• New Regulation S-K Item 106(b) requires annual Form 10-K discussion of processes for assessing, identifying, and managing material cybersecurity risks, including whether risks have materially affected or are reasonably likely to affect the registrant. CISOs must document governance workflows, risk quantification models, and board reporting cadences so legal can point to auditable evidence when drafting Item 1C narratives.
• Item 106(c) mandates disclosure of board oversight and management’s role in assessing and managing material cybersecurity risks, including relevant expertise. Boards should schedule recurring cyber briefings and maintain director education logs; management must define accountable executives, escalation paths, and crisis communications structures to substantiate these statements.
• The adopting release clarifies that delaying Form 8-K filings for law-enforcement coordination requires the Attorney General’s determination and SEC notification. Response teams must integrate Department of Justice liaisons and track delay letters so exemptions are documented and expiration dates are not missed.

Source extracts — SEC Division of Corporation Finance Sample Letter on Cybersecurity Disclosures (June 18, 2024)

• The sample letter instructs registrants to quantify impacts and discuss recovery status when disclosing incidents, challenging boilerplate language that omits financial metrics or operational disruption. Disclosure owners should maintain templates that translate incident response metrics into revenue, expense, and service-availability figures.
• Staff emphasise evaluating third-party breaches that materially affect registrants, even if the incident occurred at a supplier. Procurement and vendor-risk teams need escalation triggers that inform disclosure committees when outsourced environments experience compromises touching critical systems or data.
• Comment prompts require companies to describe board oversight frequency, subject-matter expertise, and how cybersecurity considerations inform business strategy. Corporate secretaries should capture meeting minutes, director briefings, and strategic planning artefacts that evidence cyber risk integration across enterprise decisions.