Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Français
Entry № 1090

SEC Cybersecurity Disclosure Rules (2023)

Qu'est-ce que SEC Cybersecurity Disclosure Rules (2023) ?

SEC Cybersecurity Disclosure Rules (2023)U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.

The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.

Exemples

  1. 01

    A retailer files an 8-K Item 1.05 within four business days of determining that a ransomware incident is material, then files amendments as scope is clarified.

  2. 02

    A 10-K Item 106 section describes the board's quarterly cybersecurity oversight cadence, the CISO's reporting line, and the use of an external IR retainer.

Questions fréquentes

Qu'est-ce que SEC Cybersecurity Disclosure Rules (2023) ?

U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K. Cette notion relève de la catégorie Conformité et référentiels en cybersécurité.

Que signifie SEC Cybersecurity Disclosure Rules (2023) ?

U.S. Securities and Exchange Commission rules adopted in July 2023 requiring public companies to disclose material cyber incidents on Form 8-K within four business days and to describe their cybersecurity risk management, strategy, and governance annually on Form 10-K.

Comment fonctionne SEC Cybersecurity Disclosure Rules (2023) ?

The SEC's Cybersecurity Disclosure Rules, finalized 26 July 2023 and largely effective by December 2023, materially changed cyber-incident reporting for U.S.-listed companies. Public registrants must file Form 8-K Item 1.05 within four business days of determining that a cybersecurity incident is material, describing its nature, scope, timing, and material impact (including reasonably likely impacts). Determination of materiality must be made 'without unreasonable delay'. Annually, the 10-K must include Item 106 disclosures on processes for assessing/managing cyber risk, the role of management and the board in cyber oversight, and any material risks from cyber threats. A narrow law-enforcement-delay carve-out exists when the U.S. Attorney General determines that disclosure would substantially threaten public safety or national security. Foreign private issuers face analogous obligations on Form 6-K and 20-F. Since the rule took effect, dozens of 8-Ks have been filed (MGM Resorts, Clorox, Caesars, ScreenConnect/ConnectWise, Halliburton, CDK Global, UnitedHealth, etc.), and the SEC has separately pursued enforcement against issuers for misleading or absent disclosures.

Comment se défendre contre SEC Cybersecurity Disclosure Rules (2023) ?

Les défenses contre SEC Cybersecurity Disclosure Rules (2023) combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Quels sont les autres noms de SEC Cybersecurity Disclosure Rules (2023) ?

Noms alternatifs courants : SEC 8-K Item 1.05, SEC cyber disclosure rule.

Termes liés