In response to the rise in cyberattacks and growing pressure from investors and regulators, the U.S. Securities and Exchange Commission (SEC) has introduced new cybersecurity disclosure requirements for public companies. These rules are reshaping how organizations report cyber incidents and manage cybersecurity risks.
If you're a publicly traded company—or planning to go public—understanding the SEC’s cybersecurity disclosure rules is essential to staying compliant and building trust with stakeholders. Here's what you need to know in 2025.
Finalized in mid-2023 and fully enforceable as of 2024, the SEC's cybersecurity rules require companies to disclose material cyber incidents promptly and describe their overall approach to cybersecurity risk management in annual filings.
There are two core components of the rules:
These rules aim to bring greater consistency, transparency, and investor insight into how companies are preparing for and responding to cyber threats.
The SEC defines a material cybersecurity incident as any event that affects or is reasonably likely to affect an investor’s decision-making. Materiality is not about the technical scale of the event—it’s about the impact on the business.
Examples of material incidents include:
Importantly, companies are expected to make a materiality determination quickly. Once an incident is deemed material, the four-day disclosure window begins.
The required disclosure under Item 1.05 of Form 8-K includes:
Companies are not required to disclose specific technical details that could aid attackers, but they must provide enough information for investors to understand the business impact.
There is a limited allowance for delayed disclosure if the U.S. Attorney General determines that immediate disclosure would pose a risk to national security or public safety.
Starting with fiscal years ending in 2023, companies are required to provide the following information in their Form 10-K filings:
This shift is meant to highlight whether a company has a mature, structured approach to cybersecurity or is merely reacting to issues as they arise.
For public companies, these rules change the game. Cybersecurity is no longer just an internal concern—it’s a governance and investor-relations priority. Compliance now requires closer collaboration between IT, legal, risk, compliance, and executive leadership.
The rules also increase pressure on boards and C-level leaders to stay informed about their company’s security posture. Investors will be looking at cybersecurity disclosures the same way they analyze financial risks.
Failing to comply could result in:
Ensure your IR plan includes a process to evaluate materiality, escalate decisions quickly, and prepare disclosure content. Run internal simulations to test readiness.
Educate your board and executive team on their cybersecurity responsibilities. Regular briefings, dashboards, and reporting mechanisms are essential.
Follow proven standards like NIST Cybersecurity Framework, ISO 27001, or SOC 2 to create a defensible risk management approach.
Use vulnerability scanning, penetration testing, and third-party risk evaluations to stay ahead of potential exposures and demonstrate due diligence.
Establish internal workflows for determining materiality and preparing disclosures on tight timelines. Have templates and review processes in place.
The SEC’s cybersecurity disclosure rules are a wake-up call for public companies. In 2025, compliance isn’t just about technology—it’s about transparency, governance, and accountability. Organizations that prepare now will not only meet regulatory expectations but also build trust with investors and customers.
Cyber risk is business risk. And the ability to respond, report, and recover is now part of your public responsibility.