SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements

Boards must now file notice of a material incident within four business days, though questions remain.

The Securities and Exchange Commission (SEC) has adopted a rule requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance, according to an
SEC statement
released today.
Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors, said SEC chair Gary Gensler. Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, todays rules will benefit investors, companies, and the markets connecting them.
The rule itself noted that under-disclosure regarding cybersecurity persists despite the Commissions prior guidance; investors need more timely and consistent cybersecurity disclosure to make informed investment decisions; and recent legislative and regulatory developments elsewhere in the Federal government, including those developments subsequent to the issuance of the Proposing Release such as
CIRCIA
and the
Quantum Computing Cybersecurity Preparedness Act
, while serving related purposes, will not effectuate the level of public cybersecurity disclosure needed by investors in public companies.
The new rule requires a Form 8-K to be filed within four business days of determining an incident was material. However, the SEC, similar to the General Data Protection Regulation and US state data breach disclosure rules, does not specify the criteria enterprises should apply when deciding whether an incident is material or when the disclosure clock starts ticking.
As to what makes an incident material, the SEC is defining it slightly differently than it has on other matters. Traditionally, material meant anything that is significant enough to likely move the stock price — so a $20 million acquisition might be material for a smaller company but not for a much larger one. In the July 26 cybersecurity rule, the SEC took a slightly more aggressive stance, noting that information is material if it is something the investor would want to know.
Information is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision, or if it would have significantly altered the total mix of information made available, the SEC stated. Doubts as to the critical nature of the relevant information should be resolved in favor of those the statute is designed to protect, namely investors.
The SEC also excluded some specific details.
This requirement would not extend to specific, technical information about the registrants planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail as would impede the registrants response or remediation of the incident.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SEC Adopts New Rule on Cybersecurity Incident Disclosure Requirements