TruePillar Healthcare icon TruePillar Healthcare TruePillar Finance icon TruePillar Finance

Careers

For journalists

email contact@truepillarsolutions.com en flag +1 214 306 68 37
Contact us



The SEC's New Cybersecurity Disclosure Rules: A Practical Guide

By TruePillar Compliance & Governance PracticeMarch 25, 202611 min read
NYDFS Part 500 Enforcement Analysis

The SEC's cybersecurity disclosure rules have fundamentally changed how public companies report material incidents and describe their security risk management programs. Non-compliance carries significant risk—enforcement actions, shareholder litigation, and reputational damage. This practical guide walks you through the requirements, timelines, and best practices for building a defensible disclosure program.

Share:

KEY TAKEAWAYS

  • Materiality is the threshold for disclosure. Not every incident requires disclosure—only those deemed material to investors. Organizations must establish rigorous materiality assessment processes that can be executed within the 4-day reporting window.
  • Form 8-K disclosures are due within four business days. The clock starts when an incident is determined to be material. This compressed timeline demands pre-established incident response processes that integrate legal, security, and communications teams.
  • Annual disclosures require more than a checkbox. Item 1C of Form 10-K requires detailed description of risk management, governance, and board oversight. Boilerplate language invites scrutiny.
  • Materiality judgments must be documented. Regulators will examine not just whether you disclosed, but whether your materiality assessment was reasonable and documented. Retroactive judgments are difficult to defend.
  • Disclosure preparation starts before the incident. Organizations that have established processes, defined roles, and pre-drafted templates respond faster, more consistently, and with lower regulatory risk than those scrambling after an incident.

In July 2023, the Securities and Exchange Commission (SEC) adopted final rules requiring public companies to disclose material cybersecurity incidents and provide annual updates on their cybersecurity risk management, strategy, and governance. The rules took effect in late 2023, with compliance required for annual reports beginning in late 2024.

These rules represent the most significant regulatory change in cybersecurity disclosure in a generation. They shift cybersecurity from a topic discussed only in the aftermath of breaches to a standing disclosure obligation with strict timelines and potential liability for non-compliance.

This guide is a practical resource for public company executives, legal counsel, and security leaders. It explains the rules, clarifies the requirements, and provides actionable guidance for building a defensible disclosure program.

The Rules — What Changed

The SEC's final rules introduced two primary disclosure obligations:

1. Material Cybersecurity Incident Disclosure (Form 8-K)

Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material.

The disclosure must include:

  • The material aspects of the incident's nature, scope, and timing
  • The material impact or reasonably likely material impact on the registrant

There is no exception for ongoing investigations. Delays are only permitted if the Attorney General determines that disclosure would pose a substantial risk to national security or public safety.

2. Annual Cybersecurity Disclosure (Form 10-K)

Registrants must describe in their annual reports (Item 1C of Form 10-K):

  • Their processes for assessing, identifying, and managing material cybersecurity risks
  • Whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant
  • The board's oversight of cybersecurity risks
  • Management's role in assessing and managing cybersecurity risks

The Timeline:

Requirement Effective Date First Compliance
Form 8-K incident disclosure September 5, 2023 September 5, 2023
Form 10-K annual disclosure December 18, 2023 For fiscal years ending after December 15, 2023
Form 10-K updates to Item 1C December 18, 2023 For fiscal years ending after December 15, 2023

Materiality — The Critical Threshold

The linchpin of both disclosure requirements is materiality. An incident is disclosable only if it is material. A risk is reportable only if it is material. But what does materiality mean in this context?

The Legal Standard:

Under securities law, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. This is the same standard that applies to other disclosure obligations.

What Makes an Incident Material?

Materiality is a facts-and-circumstances determination. Factors to consider include:

  • Financial impact: Direct costs (ransom, remediation, legal fees); indirect costs (lost revenue, customer churn, increased insurance premiums)
  • Operational impact: Disruption to business operations, inability to deliver products or services
  • Reputational impact: Potential harm to customer trust, brand value, competitive position
  • Regulatory impact: Regulatory investigations, fines, or enforcement actions
  • Litigation impact: Shareholder lawsuits, contractual breach claims
  • Scope: Number of records affected, sensitivity of data, categories of individuals impacted

"Materiality is not a mathematical formula—it's a judgment. The SEC will evaluate not just the outcome of that judgment, but the process you used to reach it."

The Assessment Window:

Materiality must be assessed without unreasonable delay after discovery of the incident. The four-day disclosure clock begins when you determine—or should have determined—that an incident is material.

Documentation Is Critical:

Your materiality assessment process must be documented. Retroactive judgments—"we determined it wasn't material at the time"—are difficult to defend without contemporaneous documentation. Regulators will examine:

  • Who made the materiality determination
  • What information was available at the time
  • What analysis was performed
  • When the determination was made

Form 8-K — The Four-Day Countdown

When an incident is determined to be material, the clock starts. Here's what happens in those four business days.

Day 0: Incident Discovery & Initial Assessment

  • Incident is detected and escalated through incident response process
  • Security team initiates investigation and containment
  • Legal is notified and begins materiality assessment
  • Incident response team begins documenting facts, scope, and impact

Day 1: Materiality Determination

  • Legal, security, and executive leadership convene to assess materiality
  • Information gathered includes: technical scope, affected systems/data, estimated financial impact, operational disruption, potential legal/regulatory exposure
  • If incident is deemed material, disclosure decision is made

Days 2-4: Disclosure Preparation & Filing

  • Disclosure drafting begins (legal, communications, security)
  • Disclosure is reviewed by management, legal counsel, and external advisors
  • Form 8-K is prepared and filed with EDGAR
  • Press release may be issued concurrently

What Must Be Disclosed:

  • The material aspects of the incident's nature, scope, and timing
  • The material impact or reasonably likely material impact

What May Be Delayed:

  • Forensic investigation details (if incomplete at time of filing)
  • Specific technical details that could aid attackers
  • Information subject to privilege

Key Consideration: The disclosure must be filed even if the investigation is ongoing. You can update the disclosure in subsequent filings as more information becomes available.

Form 10-K — The Annual Disclosure

The annual disclosure (Item 1C of Form 10-K) is a narrative description of your cybersecurity program. Boilerplate language invites scrutiny. The SEC expects substantive, company-specific disclosure.

Required Elements:

1. Risk Management and Strategy

Describe your processes for:

  • Assessing, identifying, and managing material cybersecurity risks
  • Integrating cybersecurity risk management into your overall risk management program
  • Engaging third parties (vendors, service providers) on cybersecurity risks

2. Material Effects of Cybersecurity Risks

Discuss whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect your business strategy, results of operations, or financial condition.

3. Board Oversight

Describe the board's oversight of cybersecurity risks, including:

  • Whether the full board or a committee oversees cybersecurity
  • The frequency of board or committee review
  • The expertise of directors overseeing cybersecurity

4. Management's Role

Describe management's role in assessing and managing cybersecurity risks, including:

  • Which management positions or committees are responsible
  • The relevant expertise of those individuals
  • The processes by which management is informed about cybersecurity risks
  • How management reports to the board

What the SEC Expects to See:

  • Specificity: Describe your actual processes, not generic categories
  • Integration: Show how cybersecurity risk management connects to broader enterprise risk management
  • Governance: Articulate clear lines of responsibility and reporting
  • Materiality: Be honest about material impacts, past or reasonably likely

What the SEC Flags as Problematic:

  • Boilerplate: Generic language that could describe any company
  • Overly broad: "We have robust cybersecurity processes" without specifics
  • Disconnected: Cybersecurity described as isolated from business operations
  • Inconsistent: Annual disclosure that contradicts Form 8-K filings

Building a Defensible Disclosure Program

Compliance with SEC rules requires more than understanding the requirements—it requires building processes that enable rapid, accurate, and consistent disclosure.

The Disclosure Program Framework:

1. Incident Response Integration

Your incident response plan must integrate disclosure processes:

  • Define when legal is notified (immediately, not after investigation)
  • Establish materiality assessment protocol (who, how, when)
  • Pre-identify who makes disclosure decisions
  • Pre-draft disclosure templates for common incident types
  • Practice disclosure scenarios in tabletop exercises

2. Materiality Assessment Process

Establish a documented materiality assessment process:

  • Define who participates (legal, security, finance, operations, communications)
  • Define what information is required for assessment
  • Define timeline for assessment (hours, not days)
  • Establish escalation thresholds (escalate to CEO/board for certain incident types)
  • Document all materiality determinations

3. Disclosure Drafting Capability

You cannot write a disclosure from scratch under four-day pressure:

  • Pre-draft disclosure templates for common incident types (ransomware, data breach, etc.)
  • Define the review and approval chain
  • Identify who can approve and file with EDGAR
  • Pre-engage external counsel for disclosure review

4. Cross-Functional Coordination

Disclosure requires coordination across functions:

  • Security: Incident facts, technical details, impact assessment
  • Legal: Materiality judgment, disclosure drafting, privilege considerations
  • Communications: Public messaging, stakeholder communications
  • Finance: Financial impact assessment
  • Operations: Business impact assessment
  • Executive leadership: Disclosure approval

5. Documentation and Retention

Your disclosure process will be examined in any enforcement action:

  • Document materiality assessments contemporaneously
  • Maintain records of disclosure decisions
  • Retain evidence of the information available at the time
  • Document reasons for non-disclosure if incident is deemed non-material