For a long time, the way public companies talked about cybersecurity risks was inconsistent. Most shared very little, and what they did provide was often vague or completely voluntary. This changed in a massive way in 2023.
The Securities and Exchange Commission, or SEC, passed rules that make these disclosures mandatory for all public companies. This shift means cybersecurity is no longer just a technical issue for the IT team. It is now a major legal duty for the board of directors and high-level leaders.
How The SEC’s 2023 Rules Changed Cybersecurity Disclosure
The SEC officially finished these new rules in July 2023. For most companies, the requirements began on December 15, 2023. These rules created two very specific types of reports.
First, companies must file a Form 8-K to report any major cybersecurity incident within 4 business days.
Second, they must include a detailed section in their annual Form 10-K report. This section must explain how the company manages cyber risks and how the board watches over them. This is a huge move away from when companies decided for themselves what to tell.
How Companies Determine Whether A Cyber Incident Is “Material”
The 4-day clock is a vital part of the new rule. This clock does not start when a hack is discovered. Instead, it begins once the company determines the incident is material.
In the world of stocks, something is material if a normal investor would think the information is important when deciding to buy or sell. A company must look at the amount of data stolen, the cost to fix it, and any damage to its reputation.
The SEC warns that companies cannot delay this process just to hide a problem from the public.
What Companies Must Disclose In Their Annual Reports
The Form 10-K requires much more detail. Companies must now explain their risk management and strategy. This means describing how they find and stop cyber threats, and if they use outside experts.
They must also disclose Board oversight. They have to say which committee handles cyber risks and how the board stays informed.
Finally, they must describe Management expertise, including the background of the Chief Information Security Officer (CISO). A 2024 analysis by PwC showed that over 70% of Fortune 500 companies changed these sections to meet the new standards.
What The SEC Considers Meaningful Cybersecurity Disclosure
The SEC wants real facts, not just generic boilerplate language. If a company uses the same vague warnings as everyone else without giving specific details about their own program, they are likely breaking the rules.
The SEC is looking for disclosures that are operationally accurate. This means the words in the report must match what is actually happening inside the security team and board meetings.
Companies cannot simply copy-paste standard risk factors anymore. They must provide meaningful content that helps investors understand real risks.
How The New Rules Affect Enforcement And Corporate Governance
The SEC is actively monitoring compliance and punishing companies that fail to provide operationally accurate disclosures.
How The SEC Is Enforcing The New Cybersecurity Rules
In 2023, the SEC sued SolarWinds, alleging they misled investors about their security posture. The SEC’s enforcement team and examination office have made cybersecurity a top priority. They watch specifically for late filings. They also look for “boilerplate” language that does not provide meaningful information about a company’s actual risks.
Corporate Boards Are Now Accountable For Cybersecurity Oversight
These rules force boards to be more active. If a company claims the board provides oversight, the board members must actually perform the work.
They should hold regular meetings with the CISO and participate in “tabletop” drills. Board members must maintain a basic level of cybersecurity literacy. Board members are now legally accountable for the accuracy of the cybersecurity information shared with the market.
If your company is unsure how the SEC’s cybersecurity disclosure rules apply to your reporting obligations, speak with an experienced legal professional.