Navigating the SEC's cybersecurity disclosure landscape

Notwithstanding the transition in the administration, the U.S. Securities and Exchange Commission continues to investigate its new rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies.

The rules — proposed in 2022, passed in 2023, and effective at the end of 2024 — require public companies subject to the reporting requirements of the Securities Exchange Act of 1934 to disclose material cybersecurity incidents. The rules also mandate periodic disclosures about a company's ability to assess, identify and manage material cybersecurity risks; management's role in assessing and managing material cybersecurity risks; and oversight of cybersecurity risks by boards of directors.

Initially championed by former SEC Chair Gary Gensler, the rules were reportedly designed to provide investors with "consistent, comparable, and decision-useful information." While Paul Atkins, who appeared for his confirmation hearing 27 March and is currently awaiting confirmation of President Donald Trump's nomination to serve as chairman and previously served as a commissioner under President George W. Bush, may have different goals for his tenure at the SEC, significant changes to the cybersecurity rules are unlikely at this point.

Under the first Trump administration, the SEC robustly enforced cybersecurity, both for public companies and regulated entities, and cybersecurity generally has bipartisan support in the investment space — in large part because the issue is viewed as having national and economic security impacts.

The SEC typically has five commissioners, one of whom serves as chair. Currently, the SEC is operating with only three commissioners, including acting Chairman Mark Uyeda.

In 2024, a Republican dissent in post-SolarWinds administrative proceedings questioned materiality thresholds applied in the settled actions and criticized the commission for playing "Monday morning quarterback."

Specifically, the dissenting commissioners expressed support for treating companies that have been subject to a cyberattack as victims. The dissent asserted that public companies are not required to disclose the identity of threat actors or furnish proof that the company conducted a robust post-incident investigation.

The dissent came on the heels of a federal court decision criticizing the SEC for attempting to use its authority over fraudulent or faulty internal accounting controls too expansively. Indeed, one of the dissenting commissioners has characterized the controls provision as the prior administration's "Swiss army knife" — "a multi-use tool handy for compelling companies to adopt and adhere to policies and procedures that the Commission deems good corporate practice."

As the SEC awaits nomination proceedings to fill its remaining seats, much of its new enforcement agenda remains unclear. However, it seems very likely that new rules will facilitate enforcement, in part because the rules give enforcement attorneys another basis for charges. 

Moreover, any significant cybersecurity event could further fuel interest in regulation and enforcement in this area for Republicans and Democrats, alike. This interest could result in enforcement actions against individual executives responsible for cybersecurity programs and reporting obligations.

Existing obligations for public companies

Companies that have experienced a material cybersecurity incident should evaluate the need to disclose the incident on Form 8-K using the new Item 1.05. This disclosure should detail the incident's nature, scope, timing and material impact — or likely material impact — on the registrant, including its financial condition and operations.

As a general rule, companies must promptly determine materiality, based on qualitative and quantitative factors, upon discovering an incident and, if the incident is deemed material, file the Form 8-K within four business days. In determining whether an incident is material, companies may consider several factors, including: the incident's nature and extent; potential financial impact; potential harm to reputation; potential for litigation or regulatory action; and potential impact on strategic plans or competitive position.

A delay is permissible under the rule only if the U.S. attorney general determines that immediate disclosure poses a substantial risk to national security or public safety and notifies the SEC in writing. Foreign private issuers make comparable disclosures on Form 6-K.

In addition to these current reporting requirements, companies must file annual disclosures with more information about: their processes for assessing, identifying and managing material risks from cybersecurity threats; the material effects — or reasonably likely material effects — of risks from cybersecurity threats and previous cybersecurity incidents; and the board of directors' oversight of risks from cybersecurity threats and management's role and expertise in assessing and managing these risks.

These disclosures are required in a registrant's annual report on Form 10-K, with filing deadlines dependent on the company's status as a large accelerated filer, accelerated filer, or nonaccelerated filer. Foreign private issuers are required to make comparable disclosures on Form 20-F, four months after the fiscal year end. 

Early observations from the first filing season

Since the rules took effect 18 Dec. 2024, the first round of annual Form 10-K reports subject to these new disclosure requirements has been filed. These filings reveal some interesting trends. Disclosures we have observed so far include:

• In-depth information about the company's board of directors, security executives, and personnel and the experience, including the years of relevant experience, certain employees bring to the company's overall security posture.
• Descriptions of how the company's employees and teams collaborate across different functional areas to share information and ensure the board of directors is actively involved and kept informed of emerging issues.
• Alignment with accepted security frameworks, such as ISO 27001 and the U.S. National Institute of Standards and Technology's Cybersecurity Framework, as well as any industry-specific measures the company has adopted.
• Descriptions of the security training, processes, guardrails and other measures deployed by the company to mitigate the risk and consequences of cybersecurity incidents, and a recap of the trainings and tabletop exercises the company has performed.
• Descriptions of the general state of cybersecurity as applicable to the company's industry and an acknowledgment of how those industry risks specifically apply to the company.

Applying lessons from the first filing season

Moving forward, companies should carefully analyze SEC filings across various industries to understand the level of detail and specificity expected in cybersecurity disclosures. Companies should also continue to monitor the evolution of these disclosures, particularly because the SEC may itself start comparing disclosures across industries or issuers to identify potential cases. While learning from others can be beneficial, companies should avoid generic or template-driven disclosures.
The SEC has made it clear, through various recently settled enforcement actions, that it expects companies to provide tailored, meaningful and informative disclosures that accurately reflect their specific cybersecurity risks and incidents. Even in the new administration, disclosures that minimize the impact of incidents, are overly generic, or attempt to downplay the severity of cybersecurity threats will face scrutiny.

Moreover, public companies that have experienced cyberattacks but fail to disclose them when characterizing cybersecurity risks in their "risk disclosure" could face an SEC enforcement action for a misleading disclosure. By focusing on accurate and realistic reporting, companies can ensure they are providing investors with the information they need to make informed investment decisions while complying with the SEC's evolving expectations.

Stephen Reynolds, CIPP/US, is data security and privacy partner, Tom Conaghan is a partner and co-head of the Capital Markets group, Paul Helms is a partner and co-head of the SEC Enforcement practice, and Katelyn Ringrose, CIPP/E, CIPP/US, CIPM, FIP, is privacy and cybersecurity senior associate at McDermott Will & Emery.