What is the SEC Cyber Disclosure Rule?

What the Rule Requires: The Two Core Obligations

The SEC cybersecurity disclosure rule has two primary components.

Incident disclosure (Item 1.05 of Form 8-K). Public companies must disclose material cybersecurity incidents on Form 8-K within four business days of determining the incident is material. The disclosure must describe the nature, scope, and timing of the incident, and its material impact or reasonably likely material impact on the company. Critically, the four-day clock starts from the materiality determination — not from incident discovery. The SEC expects companies to make materiality determinations promptly, and the SolarWinds and MGM cases signal that the commission will scrutinize delayed determinations.

Annual disclosure (Item 106 of Form 10-K). Public companies must annually disclose: their processes for assessing and managing material cybersecurity risks, whether and how these risks have materially affected or are reasonably likely to affect the company, the board's oversight of cybersecurity risk (which board committee? what is their expertise?), and management's role in assessing and managing cybersecurity risk.

What 'Material' Means in the Cyber Context

Materiality in securities law means information that a reasonable investor would consider important in making an investment decision. The SEC has not defined a specific threshold — materiality is determined by facts and circumstances. Courts have generally applied the 'substantial likelihood that a reasonable investor would consider the information important' standard.

In the cyber context, materiality analysis typically considers: financial impact (direct costs, business interruption, ransom payments), operational disruption (systems offline, customer-facing services impaired), data exposure (regulated data, customer data, strategic information), reputational impact, and regulatory consequence. A ransomware attack that encrypts systems used for customer-facing revenue, disrupts operations for days, and involves data that triggers state breach notification obligations is almost certainly material. A security incident that is contained within hours with no data exposure and no operational impact may not be.

The SolarWinds enforcement action — in which the SEC charged SolarWinds and its CISO with fraud for alleged misstatements about cybersecurity practices in SEC filings — signals that the SEC will scrutinize not only whether incidents were disclosed but whether the company's public statements about its cybersecurity posture accurately reflected actual conditions.

Board Governance Requirements

The annual 10-K disclosure requirement creates explicit board accountability for cybersecurity governance. Companies must disclose which board committee oversees cybersecurity risk, the frequency of board briefings on cybersecurity, and whether directors have relevant expertise. This requirement has driven meaningful changes in board composition and committee structure at public companies — creating demand for directors with cybersecurity backgrounds and formalizing cybersecurity as a standing board agenda item rather than an occasional management presentation.

For PE-backed companies approaching public markets, this requirement means that pre-IPO cybersecurity governance gaps — no board committee with cyber oversight, no regular board briefings, no director with relevant expertise — are now exit-readiness issues that need to be addressed in the 18-24 months before public market access, not after the S-1 is filed.

Incident Response and the Four-Day Clock

The four-day disclosure window requires that incident response procedures be integrated with legal and executive decision-making from the outset. The sequence that triggers the clock — discovery, investigation, materiality determination — must be managed with the SEC deadline as an active constraint. This means legal counsel must be engaged early in incident response, the materiality determination process must be defined in advance (not improvised under pressure), and the board must be briefed on significant incidents promptly enough to exercise oversight over the disclosure decision.

Organizations that have not integrated legal counsel into their incident response procedures, have not defined a materiality determination process, or whose boards are not involved in incident response decisions at all are operationally unprepared for the SEC rule's requirements — regardless of their technical security posture.

Private Companies and PE: The Indirect Impact

The SEC rule directly applies to public companies. Its indirect impact on private companies and PE-backed businesses is significant for two reasons. First, the rule is driving convergence of disclosure expectations — private debt markets, institutional investors, and strategic acquirers are increasingly expecting cybersecurity governance practices aligned with SEC requirements even from private companies. Second, PE-backed companies on an IPO track need to build SEC-compliant governance infrastructure well before the offering, and the discovery of governance gaps post-investment is a material finding that affects exit valuation and timeline.

Related Reading

• What is Cyber Due Diligence?
• What is M&A Cyber Due Diligence?
• What is Incident Response?
• What is Cyber Insurance?
• What is a CISO?

SolarWinds: When the SEC Targets the CISO

In October 2023, the SEC charged SolarWinds Corporation and its CISO, Timothy Brown, with fraud and internal controls violations, alleging that they misled investors about SolarWinds' cybersecurity practices and known risks in the period leading up to and following the 2020 Sunburst cyberattack. The charges alleged that SolarWinds' public statements about its security posture were materially inconsistent with internal assessments that documented significant vulnerabilities. While the charges against Brown were partially dismissed by a federal court in 2024, the case established a precedent that has permanently changed how CISOs, legal counsel, and boards approach public statements about cybersecurity. The CISO is now a potential named defendant in SEC enforcement actions. Board oversight of cybersecurity disclosures is now a legal necessity, not a governance aspiration.