What the Rules Require

The SEC cybersecurity disclosure rules that became effective in December 2023 created two primary obligations for public companies. The first is incident reporting: companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. The second is annual governance disclosure: companies must describe in their annual Form 10-K their cybersecurity risk management processes, the role of management and the board in cybersecurity oversight, and material cybersecurity risks that could affect their business.

One year into the rules' operation, the practical challenges of compliance have become clearer. The four-business-day materiality determination timeline is the most operationally demanding requirement, because it requires organizations to make a legal materiality determination while an incident response is still in progress and full facts are not yet known.

The Materiality Determination Challenge

The SEC has declined to provide a bright-line definition of materiality for cybersecurity incidents. The standard is the same as for other material events: whether there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. In practice, organizations must work through legal counsel to assess whether an incident meets this threshold based on factors including the data affected, the operational impact, the potential financial impact, and the likely regulatory consequences.

The four-business-day timeline runs from the determination date, not the discovery date. This creates a legitimate argument for a careful, deliberate materiality analysis rather than an immediate determination. However, the SEC has signaled in comment letters and enforcement actions that it expects the materiality determination process to proceed promptly after an incident is discovered. Delaying the process to delay the disclosure clock is not an acceptable approach.

Annual Governance Disclosure Best Practices

The annual 10-K cybersecurity disclosure has become a substantive document that sophisticated investors and analysts review. Early disclosures in 2024 that were vague or boilerplate have drawn criticism and, in some cases, SEC comment letters requesting additional detail. Best practice disclosures address specific governance mechanisms rather than generic statements, describe how the board receives and reviews cybersecurity risk information, and identify management's specific cybersecurity oversight role without creating litigation exposure through overpromising capability.

CISOs at public companies are now public figures in a meaningful regulatory sense. Their role, their processes, and their communications to the board may all be disclosed in public filings. CISOs at public companies should ensure their employment agreements, D&O coverage, and internal governance structures reflect this changed exposure profile.

What Boards Need to Do

The rules have accelerated a change that was already underway: boards are now expected to have genuine cybersecurity oversight capability, not just a cyber-aware director. Boards that receive security briefings only when a crisis occurs are not meeting the governance standard the rules contemplate. Best practice is regular security reporting in board-consumable formats, a defined process for receiving notice of significant incidents, and the organizational structure to make a timely materiality determination when one is needed.