API Marketplace

Solutions

Resources

Our Company

Book a Demo

← Back to Glossary

SEC Cyber Disclosure Rules

United States

2023

Cybersecurity

Tax & Reporting

Overview

The SEC Cyber Disclosure Rules, adopted in July 2023, establish formal requirements for publicly traded companies to disclose material cybersecurity incidents and outline their cybersecurity risk management strategies. These rules amend Regulation S-K and Form 8-K, aiming to improve transparency for investors regarding cyber risks and breaches.

Public companies must report material cybersecurity incidents within four business days of determining materiality, through a new Item 1.05 in Form 8-K. The rules also introduce Regulation S-K Item 106, which mandates disclosures in annual filings about the company's cybersecurity governance, risk management, and board oversight. Foreign private issuers are subject to parallel updates under Form 6-K and Form 20-F.

These rules apply to all publicly listed companies, including foreign private issuers, across industries such as finance, technology, healthcare, energy, and retail. Companies must implement comprehensive cybersecurity incident detection and reporting frameworks, including enhanced due diligence processes to assess vendor risks, monitor third-party access, and evaluate potential cybersecurity vulnerabilities that could impact material business operations and investor interests.

Key Obligations

Disclose material cybersecurity incidents within four business days via Form 8-K
Describe processes for identifying, assessing, and managing cybersecurity risks
Outline board and management’s role in overseeing cyber risk

Include annual disclosures on governance and incident history in Form 10-K
Apply equivalent disclosures for foreign issuers under Forms 6-K and 20-F
Ensure disclosures do not compromise national security or public safety (via delay provisions coordinated with the DOJ)

Stay ahead of risk with Signzy

Explore tools that help you onboard, monitor, and verify with confidence

Identity Verification

Use facial match and liveness checks paired with government ID verification to validate users while onboarding.

Transaction Monitoring

Monitor transactions in real-time and analyse past behaviour to identify suspicious activities and ensure regulatory compliance across the user journey.

Related Regulations

SEC Rule 17a-4 Records Retention

CIRCIA Cyber Incident Reporting Law

NIST CSF 2.0 Cyber Framework

FAQ

When did the SEC’s cyber disclosure rules take effect?

The rules were adopted in July 2023 and became effective for most companies in December 2023. Smaller companies received extended compliance deadlines.

What qualifies as a “material” cybersecurity incident?

An event is material if there is a substantial likelihood that a reasonable investor would consider it important when making an investment decision.

Are companies allowed to delay disclosures?

Yes, in limited cases involving national security or public safety, delays can be coordinated with the U.S. Attorney General.

Do the rules apply to private companies?

No, they apply only to public companies registered with the SEC, including foreign private issuers.