Full Report
In December 2023, as cyberattacks surged, the U.S. Securities and Exchange Commission (SEC)began enforcing new cybersecurity disclosure rules. This pushed C-level executives and boards to adopt measures for compliance and transparency. In this post, we look at the enforcement actions the SEC has taken and what public company CISOs should do to stay in compliance.Cyberattacks surge, the SEC takes action and boards pay attentionIn recent years, cyberattacks have become more sophisticated, affecting public and private organizations alike. Recognizing the critical need for transparency and robust cybersecurity measures, the U.S. Securities and Exchange Commission adopted new cybersecurity disclosure rules in July 2023, which took effect in September 2023, with compliance required by December 2023.These rules, which mandate that all public companies disclose material cybersecurity incidents within four business days and detail their risk management strategies, highlight that cybersecurity is a board-level risk management concern.As part of their fiduciary duties, boards play a key role in the oversight of risks from cybersecurity threats. In partnership with senior executives, they need to pay close attention to the risks their companies face and the strategies those companies put in place to comply.As the rules were authorized in late 2023, we shared what we see as the implications for infosec leaders. This post explores the impact of these regulations after one year. We also look at recent enforcement actions and measures that companies should consider adopting to promote compliance and bolster their cybersecurity posture.An important note: In 2025, there will be changes in SEC leadership, which could affect these rules. But they’re just one example of the additional attention governments around the world are giving to cyber risk.The EU recently issued the network and information systems (NIS)2 Directive, aimed at improving cybersecurity across member states. It requires the reporting of “significant” incidents within 24 hours, a more detailed report within 72 hours and a final report within a month. Other more focused rules, such as the General Data Protection Regulation (GDPR) in Europe, although it doesn’t have incident disclosure provisions, have driven significant change for companies that want to do business in that region.It comes down to trust. Tenable CEO Amit Yoran had a clear point of view when he wrote about the rules as they took effect.“The SEC’s rule will force what companies should have been implementing all along; informed cyber risk management practices,” he said. “Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will force leadership to pay attention and keep customers and investors better informed as to who they trust with their business.”Key requirements of the SEC’s cybersecurity disclosure rulesWith that as a backdrop, CISOs looking to support stakeholders like legal, finance, investor relations and boards in these efforts should understand a few things about the SEC rules.The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality using an 8-K form. This requirement aims to give investors timely and relevant information about potential risks that could impact business operations and financial performance.At a conference held by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA) in December, Sebastian Gomez Abero, Associate Director of the Division of Corporate Finance (DCF) Disclosure Review Program emphasized that materiality, rather than the discovery of a breach, is the trigger for disclosing a cybersecurity incident. According to an EY summary of his remarks provided by the conference organizations, Gomez Abero also reminded registrants that both quantitative and qualitative factors should be considered in their materiality assessment of a cybersecurity incident.In addition, companies must include descriptions of their cybersecurity risk management and governance practices annually in their 10-K or 20-F reports. The rules essentially validate cybersecurity as an important component of risk management, within a robust corporate governance program. Recent 10-Ks from a number of companies incorporated these new requirements.According to the EY conference summary, Gomez Abero reminded registrants to provide sufficient detail in their annual cybersecurity disclosures for a reasonable investor to understand the organization’s processes to assess, identify and manage material risks from cybersecurity threats, rather than just stating that a process exists. In addition, registrants that have a management group to assess material cybersecurity risk need to disclose each member’s individual expertise.Big fines and penalties from enforcement actionsSince the introduction of the cybersecurity rules, the SEC has taken significant enforcement actions to ensure compliance, including issuing fines and negotiating settlements with various companies.For example, in October 2024, the SEC fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited a combined total of almost $7 million for allegedly misleading disclosures related to their exposure to the SolarWinds cyberattack.In the same order, the SEC alleged that these firms downplayed their involvement, which led to misleading investors about potential impacts. Each company settled without admitting or denying the allegations.In another notable enforcement action by the SEC, R.R. Donnelley & Sons Company (RRD) agreed in June 2024 to pay more than $2.1 million for inadequate disclosure and poor management of significant cybersecurity incidents from 2021. The SEC found that RRD’s internal processes failed to properly elevate and disclose these incidents to senior management in a timely manner, underscoring the importance of having robust incident management frameworks in place.Lessons learnedThere are three key lessons to keep in mind as you work to help your organization meet the SEC cybersecurity requirements:Be transparent. Your organization’s incident management and disclosure practices are being scrutinized. It’s not just the board and senior executives paying attention — your company’s investors want to understand your organization’s cyber risk. Choose a forthright and straightforward approach to meet the 8-K disclosure requirements, such as establishing a cybersecurity disclosure committee and a materiality framework for regularly assessing cyber incidents. Doing so could help your organization avoid fines.View cyber risk as business risk. Your cybersecurity risk management and governance practices are of strategic importance to your organization. The 10-K and 20-F requirements codify the importance of having a robust strategy for cybersecurity. Rather than seeing it as a compliance chore, consider it an opportunity to educate the board and investors about all the ways your organization is reducing cyber risk.Be proactive. Don’t treat your cybersecurity strategy as merely a once-a-year compliance task. Make sure the cybersecurity systems and processes you have in place provide continuous visibility into the entirety of your attack surface, so that you’re always ready to answer the questions “how secure are we?” and “where are we at risk?”Exposure management can help meet the SEC requirementsSo what can a CISO do about this? It starts with a comprehensive cybersecurity program, including exposure management, which gives CISOs the information they need to communicate with legal, finance, investor relations, boards and other internal stakeholders about vulnerabilities and cyber incidents so that those can be appropriately captured in the company’s cyber risk management and public reporting.Exposure management equips an organization with the tools needed to meet the SEC’s cybersecurity disclosure requirements by aligning cybersecurity efforts with business risk management.Exposure management provides comprehensive visibility into the organization’s attack surface, prioritizes vulnerabilities based on their potential business impact and delivers actionable insights that inform the preparation of risk management filings. Moreover, exposure management is part of a cyber program that can identify cyber risks and incidents that may need to be reported in filings. With easily understood, dynamically updated dashboards that a CISO can use to gain visibility into companywide exposures, exposure management is critical for ensuring compliance and demonstrating a strong security posture.Plus, an exposure management strategy that integrates asset visibility, risk prioritization and incident response — along with strong partnerships between the CISO, legal, IR and finance — ensures that organizations can accurately report their practices and responses at any point in time because of the continuous monitoring built into exposure management.By focusing on vulnerabilities that pose the greatest threat to business operations, companies can allocate resources effectively and build a cybersecurity program that supports regulatory compliance.What the C-suite should considerFor CISOs, adopting an exposure management program ensures they can provide legal, finance, investor relations, boards and other executives with clear, actionable insights into the organization’s cybersecurity risks.Exposure management helps inform decision-making and supports the development of comprehensive risk management frameworks, enabling companies to address threats proactively and build confidence among investors and stakeholders.The entire C-suite should approach the SEC’s new rules with an eye toward integrated and forward-looking cybersecurity strategies. As part of that effort, it’s crucial to develop and maintain comprehensive incident response plans that can be deployed swiftly to meet the four-day disclosure mandate.Preventative measures for complianceTo meet the SEC’s cybersecurity disclosure rules and reduce the risk of breaches that could lead to significant regulatory and financial consequences, organizations must adopt proactive strategies that strengthen their defenses. The following preventative measures outline key steps companies should take to enhance their cybersecurity posture and ensure compliance.Vulnerability management: Effective vulnerability management is essential for maintaining a strong cybersecurity posture. Automated vulnerability assessment tools can regularly inspect infrastructure and promptly identify security gaps.Zero trust architecture: A zero trust security model operates on the principle that no user or device, whether inside or outside the organization’s network, should be trusted by default. Implementing zero trust means continuously verifying each user and device that attempts to access company resources, ensuring strict authentication, authorization and validation throughout the user session.TakeawaysThe SEC’s cybersecurity disclosure rules underscore the critical importance of transparency and proactive risk management in today’s digital landscape.Although compliance requires effort and resources, it also presents an opportunity for companies to build trust with investors and stakeholders.By prioritizing robust cybersecurity practices that focus on prevention, enterprises can better align with regulatory expectations and be prepared for critical reporting requirements. They can close exposures and become resilient, responsible leaders in an increasingly risky world.Learn moreVisit the web page: How to reduce SEC cybersecurity rule compliance challengesRead the blog: FAQ: What the new SEC Cybersecurity Rules Mean for Infosec LeadersView the on-demand webinar Preparing for the new SEC cybersecurity disclosuresDownload the Gartner report How to Grow Vulnerability Management into Exposure Management
Analysis Summary
# Regulation/Compliance: SEC Cybersecurity Disclosure Rules (One Year Review)
## Overview
This summary addresses the requirements and implications of the U.S. Securities and Exchange Commission (SEC) rules mandating timely disclosure of material cybersecurity incidents and annual disclosures regarding cybersecurity risk management, strategy, and governance for public companies.
## Key Details
- **Issuing Authority:** U.S. Securities and Exchange Commission (SEC)
- **Effective Date:** The primary disclosure deadlines (Item 1.05 Form 8-K) became effective in phases starting in late 2023 (for large accelerated filers).
- **Jurisdiction:** U.S. publicly traded companies registered with the SEC.
- **Status:** Final rules, currently in effect with phased implementation compliance deadlines.
## Requirements
### Mandatory Requirements
1. **Material Incident Disclosure (Form 8-K):** Public companies must disclose the determination that a material cybersecurity incident has occurred on **Form 8-K, Item 1.05**, within **four business days** of such determination.
2. **Ongoing Updates:** If the required information regarding a material incident is not determined or cannot be disclosed in good faith at the time of the initial Form 8-K filing, the company must file an updated report within **four business days** after the determination is made or the information is known.
3. **Annual Cybersecurity Disclosure (Form 10-K):** Companies must include specific disclosures in their annual report (Form 10-K) detailing:
* **Risk Management:** Description of the processes for assessing, identifying, and managing material cybersecurity risks, including the integration of such processes into overall risk management.
* **Strategy:** Description of the organization’s strategy for monitoring and responding to cybersecurity incidents.
* **Governance:** Description of the board of directors’ oversight of cybersecurity risk and management’s role and expertise in assessing and managing such risk.
4. **Executive Compensation Disclosure:** Disclosure regarding the extent to which management’s compensation has been linked to cybersecurity risk management.
### Recommended Practices (Implied by the rules and regulatory intent)
1. Establishing clear internal processes and governance structures for determining materiality of cybersecurity incidents.
2. Ensuring robust documentation showing due diligence regarding risk management processes for board oversight.
3. Developing standardized templates for the 8-K disclosure to speed up readiness within the four-day window.
## Affected Organizations
- **Industries:** All public companies subject to SEC reporting requirements (regardless of industry, though the nature of cyber risk will vary).
- **Organization Size:** Primarily targets **Large Accelerated Filers, Accelerated Filers, and Non-Accelerated Filers**, with slightly staggered compliance deadlines.
- **Geographic Scope:** U.S. domestic registrants and foreign private issuers filing pursuant to the Exchange Act.
## Compliance Timeline
Compliance timelines are dependent on filer status:
- **For Large Accelerated Filers and Accelerated Filers:**
* **December 18, 2023:** Phase-in begins for Form 8-K disclosure requirements (Item 1.05).
* **Upcoming (For FYIs beginning after Dec. 14, 2023):** Phase-in begins for annual 10-K disclosure requirements.
- **For Non-Accelerated Filers and Smaller Reporting Companies (SRCs):**
* **June 25, 2024:** Phase-in begins for Form 8-K disclosure requirements.
* **Upcoming (For FYIs beginning after Dec. 14, 2024):** Phase-in begins for annual 10-K disclosure requirements for Non-Accelerated Filers. (SRCs are currently exempt from the annual 10-K qualitative disclosure requirements but are generally subject to Item 1.05 8-K reporting.)
- **Final deadline:** Full compliance required based on these staggered dates for 8-K reporting and corresponding fiscal year-end dates for 10-K requirements.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Compare current incident response procedures, risk assessment processes, and internal documentation against the specific disclosure mandates of Item 1.05 (8-K) and the annual 10-K requirements.
- **Materiality Definition:** Clearly define what constitutes a "material" cybersecurity incident internally, documented and approved by the Board/appropriate committee.
### Implementation Phase
- **Board Education:** Train the Board of Directors on their mandated oversight roles regarding cybersecurity risk governance and strategy.
- **8-K Readiness:** Develop and test procedures to ensure the Board or delegated authority can make a materiality determination and execute an 8-K filing within four business days of incident discovery/determination.
- **Data Aggregation:** Establish systems to gather and report on cybersecurity risk management processes, strategy, and board/management expertise annually for the 10-K.
### Validation Phase
- **Dry Runs:** Conduct mock incident simulations that require the triggering of the 8-K disclosure process to test internal controls and timeline adherence.
- **Audit Confirmation:** Ensure internal and external auditors review the cybersecurity disclosure controls as part of the financial reporting audit process.
## Technical Requirements
While the rules are primarily disclosure-focused, they necessitate robust underlying cyber capabilities:
1. **Incident Detection & Triage:** Ability to rapidly detect, analyze, and determine the materiality of security events to meet the 4-day deadline.
2. **Risk Quantification:** Systems capable of measuring and reporting on the identified cyber risks as part of the risk management strategy disclosure.
## Penalties & Enforcement
- **Fines:** Potential SEC enforcement actions for failure to disclose, misleading disclosures, or general violations of securities laws, leading to significant civil monetary penalties against the company and potentially individuals.
- **Other Consequences:** Private litigation risks (shareholder lawsuits alleging failure to disclose material information in a timely or accurate manner). Scrutiny from regulators and negative market reaction.
- **Enforcement:** The SEC will enforce compliance through routine examinations, specific investigations into material incidents that result in public disclosure, and whistleblower tips.
## Related Standards
- **Legal Standards:** U.S. Securities Exchange Act of 1934.
- **Framework Alignment (Implied necessity):** Although not explicitly mandated by the SEC rules themselves, organizations fulfilling the governance and risk management disclosures are highly encouraged to leverage established frameworks such as:
* **NIST Cybersecurity Framework (CSF):** To structure risk identification, management, and response processes outlined in the 10-K.
* **ISO/IEC 27001/27002:** For establishing and maintaining an Information Security Management System (ISMS) that underpins stated risk strategies.
## Resources
- **Official Documentation:** Refer to the SEC Final Rule documents published in July 2023 (e.g., Release No. 33-11604). (Note: Specific government URLs should be sought via official SEC search channels.)
- **Guidance Documents:** SEC guidance often follows initial compliance periods to clarify interpretation.
- **Tools:** Exposure management platforms (like those offered by Tenable) that aid in identifying, measuring, and articulating cyber risk posture are essential for meeting assurance requirements.
## Practical Recommendations
1. **Elevate Materality Consensus:** Ensure CISOs, Legal Counsel, and the CFO/CEO have a pre-agreed, documented process for triggering the 4-day 8-K filing clock upon determining an incident is material.
2. **Document Governance Annually:** Treat the 10-K disclosure components as required reporting—documenting board meeting minutes, specific committee roles, and management capabilities related to cyber risk must be maintained year-round.
3. **Focus on Qualitative Risk:** Because 10-K disclosures require qualitative descriptions of strategy and governance, organizations must move beyond tactical remediation and focus on articulating their cohesive, board-level risk strategy.