SEC Cyber Disclosure Rule FAQ: What Leaders are Asking Us

The U.S. Securities and Exchange Commission (SEC) recently implemented a new rule mandating stringent cybersecurity incident reporting and disclosure requirements for public companies.

This FAQ aims to provide answers to common questions leaders have regarding the SEC cyber disclosure rule. It covers the purpose and timeline of the cyber disclosure regulation, key definitions, including material cyber incidents, disclosure logistics, and ways organizations can begin preparing for compliance. Guidance is provided for leaders on steps companies should take in areas like incident response, materiality analysis, disclosure procedures, and board communications to meet the rule's rigorous standards.

Reviewing this FAQ will equip executives and board members with insights to ensure their organization can comply with the SEC's new cyber incident disclosure rule.

1. What is the new SEC cybersecurity disclosure rule?

The Securities and Exchange Commission (SEC) has instituted a new rule requiring public companies to provide enhanced and standardized disclosures pertaining to cybersecurity risk management, strategy, governance, and security incidents.

Under the new rule, companies will be obligated to report cybersecurity incidents within 4 days if the event is deemed material. Additionally, there will be new annual reporting requirements related to the organization's cybersecurity risk management approach and board of directors oversight of cybersecurity risks.

Guidance: Organizations should ensure they thoroughly understand the new reporting timelines, definitions, and required disclosure details in the new rule. Companies should prepare to meet accelerated timeframes for reporting material cyber incidents.

2. What cybersecurity concerns is the SEC looking to address?

The new rule aims to provide investors with timely, reliable, and consistent information regarding cybersecurity risks and events that could impact them financially.

The SEC recognizes evolving risks from new technologies like artificial intelligence, hybrid remote work environments, and cryptocurrencies. It also acknowledges escalating cyber threats such as ransomware that can profoundly impact investors in companies that suffer material incidents.

Guidance: Organizations should ensure they have a solid grasp of the cybersecurity risk landscape, including emerging threats that could materially impact the business and its shareholders. Stay on top of threat intelligence and re-evaluate risks continually across all of your environments.

3. Is this SEC rule a surprise?

No, the SEC has been focused on enhancing cybersecurity disclosures for many years. The agency provided guidance in 2011 and 2018 utilizing existing disclosure rules.

After monitoring registrants' disclosures and finding room for improvement in the quality and consistency of reporting, the SEC proposed new rules in March 2022 following extensive public commentary. The final rule was approved in July 2023.

Guidance: SEC registrants should review the history of SEC cybersecurity guidance and rules. Understand that while this new rule signifies a regulatory shift, it is an evolution of increasing SEC attention to cyber risks.

4. How is a “cybersecurity incident” defined by the new SEC rule?

A Cybersecurity Incident is defined as “an unauthorized occurrence, or series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity or availability of a registrant’s information systems or any information residing therein”. It’s worth noticing that:
    (1) An unauthorized occurrence can also be an accidental occurrence due to a misconfiguration or error, even if there is no confirmation of a malicious activity.
    (2) A “series of related unauthorized occurrences” means that, for example, the same malicious actor engaging in a number of small continuous attacks, or different actors attacking the same vulnerability would be considered a “cybersecurity incident” even if each attack alone is not significant.
    (3) “information systems” is defined broadly, to cover not only systems owned by the registrant but also hosted systems, Cloud and SaaS (Software as a Service) and third parties.

Guidance: Make sure your processes and procedures for detecting, reporting and responding to incidents address not only significant malicious activities but also the broader scope of “cybersecurity incidents” as defined by the SEC rule.

5. How does this differ from current cybersecurity disclosure best practices?

The 4-day reporting window for material cyber incidents represents a compressed timeline compared to most organizations' current practices. Moreover, the broad definition of “cybersecurity incidents” now covers occurrences and incidents that many companies do not address in their incident respond plans and playbooks (see above).

The annual reporting requirements on cyber risk management and board oversight also go beyond many companies' existing disclosures. Additionally, the use of Inline XBRL data format for disclosures diverges from typical word processing and PDF disclosures.

Guidance: Evaluate your current processes for investigating and disclosing material cyber incidents. Consider ways to accelerate detection, investigation, materiality decisions, and public reporting. Also assess increasing board of directors communications and oversight of cyber risks.

6. How is a material cybersecurity incident defined?

The U.S. Supreme Court has defined materiality in multiple cases, stating that information is material if there is a substantial likelihood that a reasonable shareholder would consider it important when making an investment decision.

Information is also considered material if its disclosure would have significantly altered the total mix of information available to a reasonable investor. Importantly, a lack of quantifiable financial harm does not necessarily mean an incident is immaterial.

Guidance: Companies should align their own cybersecurity incident definitions and classifications with the SEC's new material incident designation. Incident response processes should account for incidents spanning owned and third-party systems.

7. How should companies evaluate materiality of a cyber incident?

When assessing materiality, companies should consider factors like the likelihood of an adverse outcome, the potential significance of any loss, the nature and extent of harm to individuals, customers, vendors, reputation, and competitiveness, as well as the possibility of litigation or regulatory investigation. Materiality also includes disclosing cybersecurity incidents involving third party systems.

It’s also important to note that several smaller incidents that are similar in nature may together be ruled material when a single instance would not. Teams need to be ready to map those incidents to determine if and when they become material.

While there is no specific deadline, companies have an obligation to disclose material information to shareholders without unreasonable delay, starting from when materiality is determined. The determination of materiality itself should also be made promptly.

Guidance: Develop a formal methodology for evaluating cyber incident materiality that goes beyond quantitative factors. Involve stakeholders from legal, PR/communications, business leadership, and cybersecurity to get broad input on potential business impacts. Have systems and support in place to hunt for incidents across environments and evaluate materiality.

8. What details must be disclosed on material cyber incidents?

Disclosures must articulate the nature, scope, timing, and material impacts of the incident upon the company’s financial health, business operations, and reputation. Disclosures should aim to provide investors with a meaningful understanding of the material risks and outcomes.

Guidance: Have robust incident investigation procedures to uncover key details like root causes, data or systems impacted, duration, and business/user impacts. Draft disclosure templates ready for rapid completion when material events occur.

9. Can disclosure ever be delayed?

Disclosure can only be postponed with explicit approval from the U.S. Attorney General if the report would amplify grave national security or public safety risks. The company must proactively request this exemption from typical reporting timelines.

Guidance: Analysis should determine if an incident could qualify for disclosure delay. If relevant, make sure your organization has a playbook ready for applying for disclosure delay. However, proactively getting AG approval will be difficult. Companies should not plan on utilizing delayed reporting timeframes.

10. When do companies need to start complying?

For most public companies, the new rule goes into effect in December 2023. Smaller reporting companies have until mid-2024 to begin adhering to the rule.

Guidance: Immediately initiate projects to evaluate and enhance incident response, materiality analysis, disclosure reporting, and board communications procedures to meet the rule timeframes.

11. How can enterprises best prepare for meeting the new disclosure rule requirements?

Enterprises should take proactive steps to evaluate and enhance their cybersecurity incident response and disclosure procedures in order to comply with the SEC's new rule. Leading up to the rule's effective date, organizations should focus on educating internal and external stakeholders, assessing current processes, strengthening response capabilities, and testing new plans.

Specifically, organizations should:

Conduct training to educate leaders, cybersecurity teams, investors, and other stakeholders on the details of the new SEC disclosure rule.
Develop efficient procedures to rapidly ascertain the materiality of cyber incidents based on potential impact to the business and investors.
Test incident response processes through simulations and tabletop exercises. Verify the ability to swiftly gather key details needed for disclosure like the nature, scope, and timing of material incidents.
Conduct mock disclosures and practice going through the SEC reporting mechanisms under time pressure. This will build muscle memory for responding quickly during actual incidents.
Perform gap assessments comparing current incident response and disclosure practices against the new regulatory requirements. Identify areas for improvement.
Make sure the right tools and capabilities are in place to:

- Rapidly detect, investigate and assess materiality of incidents

- Collect the needed forensic data across all environments—including cloud and SaaS

- Document and log series of small incidents and identify when these become a “disclosable” cyber incident

Test incident response processes through simulations and tabletop exercises. Verify the ability to swiftly gather key details needed for disclosure like the nature, scope, and timing of material incidents.
Review third-party vendor contracts and incident response plans. Ensure their plans allow your company to uphold SEC disclosure duties or seek partners who

12. How can Mitiga help companies meet the new requirement?

Mitiga provides the capabilities and expert teams that enable enterprises to meet the SEC's new cybersecurity disclosure rule. Mitiga's platform is the industry’s most complete cloud threat detection investigation and response solution. This next-gen approach enables rapid investigation of cyber incidents, which is critical for making timely materiality determinations and disclosure decisions within the 4-day reporting window.

Mitiga gathers the needed forensic data before a breach takes place, and keeps data on hard for an up to three year window. This provides ongoing visibility into threats across an enterprises entire cloud and SaaS estate. It also supports swift investigation into the nature, scope, and timing of cyber incidents. Mitiga's focus on cloud and SaaS environments provides visibility into material incidents affecting third-party systems that fall under the disclosure rule's purview.

In addition, Mitiga’s Managed Threat Hunting provides enterprises with the technology and expert teams to uncover attacks across all their cloud and SaaS. With Mitiga, even if a series of smaller attacks take place, Mitiga can help to connect the dots and ascertain if a material "series of related unauthorized occurrences" has taken place. This situational awareness supports more informed materiality analysis and disclosure creation.

In the critical period during and after an incident, Mitiga's threat hunting can rapidly identify other vulnerabilities that may be exploited in follow-on attacks. This allows companies to determine the full scope of a material incident and put in place containment measures.

Overall, these cloud and Saas breach readiness, managed threat hunting, and incident investigation and response automation capabilities allow organizations to gather details on cyber incidents, evaluate potential materiality, and disclose details to the SEC within the accelerated time frame required under the new regulation. These are invaluable capabilities in today’s threat and regulatory environment.

LAST UPDATED:

March 3, 2025

To learn more on the SEC ruling, check out this on-demand video.

Don't miss these stories:

Why Wi-Fi Isn’t Enough: Joseph Salazar on Wireless Airspace Security

In this episode of Mitiga Mic, we sit down with cybersecurity veteran Joseph Salazar, now with Bastille Networks, to uncover the vast and often invisible world of wireless attack surfaces. From Bluetooth-enabled coffee mugs and smart thermostats to malicious USB cables that launch attacks from parking lots, Joseph walks us through real-world threats that operate outside your firewall and beyond traditional security tools.

From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security

Solutions Platform Helios AI Cloud Security Data Lake Cloud Threat Detection Investigation and Response Readiness (TDIR) Cloud Detection and Response (CDR) Cloud Investigation and Response Automation (CIRA) Investigation Workbench Managed Services Managed Cloud Detection and Response (C-MDR) Cloud Managed Threat Hunting Cloud and SaaS Incident Response Resources Blog Mitiga Labs Resource Library Incident Response Glossary Company About Us Team Careers Contact Us In the News Home » Blog Main BLOG From Breach Response to Platform Powerhouse: Ofer Maor on Building Mitiga for Cloud, SaaS, and Identity Security In this premiere episode of Mitiga Mic, Mitiga’s Co-founder and CTO Ofer Maor joins host Brian Contos to share the journey behind Mitiga’s creation—and how it became the first purpose-built platform for cloud, SaaS, and identity detection and response. Ofer discusses why traditional incident response falls short in modern environments, how Mitiga built its platform from real-world service experience, and the crucial role of automation and AI in modern SOC operations.

Helios AI: Why Cloud Security Needs Intelligent Automation Now

Mitiga launches Helios AI, an intelligent cloud security solution that automates threat detection and response. Its first feature, AI Insights, cuts through noise, speeds up analysis, and boosts SecOps efficiency.

Hackers in Aisle 5: What DragonForce Taught Us About Zero Trust

In a chilling reminder that humans remain the weakest component in cybersecurity, multiple UK retailers have fallen victim to a sophisticated orchestrated cyber-attack by the hacking group known as DragonForce. But this breach was not successful using a zero-day application vulnerability or a complex attack chain. It was built on trust, manipulation, and a cleverly deceptive phone call.

No One Mourns the Wicked: Your Guide to a Successful Salesforce Threat Hunt

Salesforce is a cloud-based platform widely used by organizations to manage customer relationships, sales pipelines, and core business processes.

Tag Your Way In: New Privilege Escalation Technique in GCP

GCP offers fine-grained access control using Identity and access management (IAM) Conditions, allowing organizations to restrict permissions based on context like request time, resource type and resource tags.