Wikipedia

SEC cybersecurity incident disclosure requirements

The SEC cybersecurity incident disclosure requirements are rules adopted in 2023 by the U.S. Securities and Exchange Commission (SEC) requiring publicly traded companies to disclose material cybersecurity incidents and to provide periodic information about cybersecurity risk management, governance, and oversight.[1][2][3]

SEC cybersecurity incident disclosure requirements
Great Seal of the United States
Other short titlesRelease No. 33-11216
Long titleCybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
Enacted bythe Securities and Exchange Commission United States Congress
Effective5 September 2023

The rules amend reporting requirements under U.S. federal securities laws, including new disclosure obligations in Form 8-K and periodic reporting forms.[4]

Background

edit

The SEC proposed cybersecurity disclosure rules in 2022 amid increasing concerns about cyberattacks affecting public companies and the lack of consistent disclosure of cybersecurity risks to investors. The SEC adopted the rules on 26 July 2023.[5] The rule became effective on 5 September 2023.[6] Regulators argued that standardised reporting would improve transparency regarding how companies manage cybersecurity threats and incidents.[7]

Overview

edit

The rules require registrants to disclose a cybersecurity incident if it is determined to be material under federal securities law.[8][9] If an incident is determined to be material, companies must generally disclose it on Form 8-K within four business days after the determination is made.[10]

References

edit
  1. Rundle, James (26 July 2023). "SEC Approves Cyber Incident-Reporting Rules for Public Companies". The Wall Street Journal. Retrieved 4 March 2026.
  2. "SEC Cyber Rule Introduces Reporting, Oversight Requirements". The Wall Street Journal. 4 August 2023. Retrieved 4 March 2026.
  3. Uslaner, Jonathan D. (31 May 2024). "The SEC's new cybersecurity disclosure rules decoded: what they mean for investors". Reuters. Retrieved 4 March 2026.
  4. "SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies". U.S. Securities and Exchange Commission. 26 July 2023.
  5. "SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies". U.S. Securities and Exchange Commission. 26 July 2023.
  6. "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release No. 33-11216)" (PDF). U.S. Securities and Exchange Commission. 26 July 2023.
  7. Uslaner, Jonathan D. (31 May 2024). "The SEC's new cybersecurity disclosure rules decoded: what they mean for investors". Reuters. Retrieved 4 March 2026.
  8. "Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release No. 33-11216)" (PDF). U.S. Securities and Exchange Commission. 26 July 2023.
  9. "SEC Cybersecurity Disclosure Rules". Practical Law The Journal. Thomson Reuters. 1 September 2023. Retrieved 4 March 2026.
  10. "SEC Finalizes Cybersecurity Disclosure Rules". Skadden, Arps, Slate, Meagher & Flom. 2023.
Retrieved from "https://en.wikipedia.org/w/index.php?title=SEC_cybersecurity_incident_disclosure_requirements&oldid=1356936296"