SEC Cybersecurity Disclosure Rules (2023)
What is SEC Cybersecurity Disclosure Rules (2023)?
SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
● Examples
- 01
A retailer files an 8-K Item 1.05 within four business days of determining that a ransomware incident is material, then files amendments as scope is clarified.
- 02
A 10-K Item 106 section describes the board's quarterly cybersecurity oversight cadence, the CISO's reporting line, and the use of an external IR retainer.
● Frequently asked questions
What is SEC Cybersecurity Disclosure Rules (2023)?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K. It belongs to the Compliance & Frameworks category of cybersecurity.
What does SEC Cybersecurity Disclosure Rules (2023) mean?
U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.
How does SEC Cybersecurity Disclosure Rules (2023) work?
The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.
How do you defend against SEC Cybersecurity Disclosure Rules (2023)?
Defences for SEC Cybersecurity Disclosure Rules (2023) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SEC Cybersecurity Disclosure Rules (2023)?
Common alternative names include: SEC 8-K Item 1.05, SEC cyber disclosure rule.
● Related terms
- compliance№ 226
Compliance
The discipline of meeting legal, regulatory, contractual, and internal security requirements through documented controls, evidence collection, and ongoing assessment.
- forensics-ir№ 582
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- attacks№ 304
Data Breach
A confirmed security incident in which an unauthorised party accesses, exfiltrates, or discloses sensitive, protected, or confidential information.
- compliance№ 1264
Third-Party Risk Management (TPRM)
The end-to-end discipline of identifying, assessing, contracting, monitoring, and offboarding third parties so that the cyber, operational, and compliance risks they introduce stay within appetite.
- compliance№ 290
Cyber Insurance
A specialty insurance product that transfers the financial impact of cyber incidents — including breach response, business interruption, and liability — to an insurer.
- compliance№ 1043
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.