COMMENTARY: Organizations may have been tackling cyberthreats for decades, but cyberattacks continue to grow in complexity and sophistication. Companies that rely on outdated methods of threat detection and risk management may increase exposure and weaken protection for themselves and their investors. To increase transparency and promote development of businesses’ cybersecurity strategies, the Securities and Exchange Commission issued new rules for reporting of cybersecurity risk management and incident reporting. With an understanding of the SEC’s reporting requirements, cybersecurity and compliance specialists can better ensure their companies’ compliance. [SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts.Read more Perspectives here.]
Incidental disclosures
The SEC rules specify instances in which public companies must report cybersecurity concerns in incidental and periodic disclosures. Incidental disclosures are reports that businesses must make to shareholders in the event that something significant happens that is of interest to shareholders, such as Form 8-K. Companies must use the appropriate incidental disclosure to report material cybersecurity incidents. Businesses must generally complete and submit the report to the SEC within four business days of the organization deciding that the cybersecurity incident is material, with limited exceptions.
Determining materiality of cybersecurity incidents
The materiality of the cybersecurity incident is the major trigger of the incidental reporting. Generally, the SEC defines materiality as any incident that shareholders would consider important to make an investment decision.
Public companies are required to disclose details about their cybersecurity risk management strategies, as well as management’s role and oversight from the board of directors for those strategies. These disclosures must be made on the business’s annual report, such as Form 10-K.
Risk assessment
On annual SEC reporting, companies must provide discussion of their risk assessments and risk management strategies. The SEC recommends consideration of operational risks, intellectual property theft, fraud, extortion, harm to employees or customers, violation of privacy laws, and reputational risk.
Management’s role in risk management
Disclosures should describe which positions or teams are tasked with assessment and management of cybersecurity risk, whether a chief information security officer exists, and the processes for monitoring, detecting, mitigating, and remediating cybersecurity incidents.
Structured data requirements
Cybersecurity disclosures are required to be filed using EDGAR and tagged with Inline XBRL. This structured data requirement makes cybersecurity disclosures more accessible and comparable for investors and regulators. For public companies, SEC compliance involves increased investment in cybersecurity risk assessment and governance disclosures. Staying current on SEC requirements helps organizations maintain compliance in an evolving risk landscape.
Christen Wojciechowski is Digital Marketing Manager for Donnelley Financial Solutions™ (DFIN), a global financial solutions company headquartered in Chicago. She focuses on the company’s marketing operations through brand awareness, lead generation, and engagement across channels. Her work covers both overall strategy and hands-on execution within the tools.
The MCP Server for Sectigo Certificate Manager acts as a secure intermediary between AI agents, such as Microsoft Copilot and Claude, and Sectigo's certificate management platform.
JupiterOne Inc. has launched JupiterOne Continuous Controls Monitoring (CCM), a new product designed to test the effectiveness of security and compliance controls across cloud, SaaS, and hybrid environments.
