Quick Summary / Key Takeaways
- Material cybersecurity incidents must be disclosed within four business days after the company determines the incident is material, as required under Form 8-K Item 1.05.
- Annual reports must include cybersecurity risk management and governance disclosures under Regulation S-K Item 106, including how companies assess and manage cybersecurity threats.
- Materiality is evaluated from the perspective of a reasonable investor, using the SEC’s established materiality standard that considers both financial and operational impact.
- Foreign private issuers must disclose material cybersecurity incidents through Form 6-K and include cybersecurity risk management and governance disclosures in their Form 20-F annual reports.
- Companies must describe board oversight and management’s role in cybersecurity risk management, providing investors with visibility into how cybersecurity threats are monitored and addressed.
Introduction
Cybersecurity has become a core disclosure issue for public companies as digital threats increasingly affect operations, financial performance, and investor confidence. In response, the SEC cybersecurity disclosure rules established a standardized framework requiring companies to report material cybersecurity incidents and risk management practices in their public filings. These rules introduced specific reporting obligations, including Form 8-K Item 1.05 for material incidents and Regulation S-K Item 106 for cybersecurity risk management and governance disclosures in annual reports. The goal is to ensure investors receive timely, consistent information about how companies identify and manage cybersecurity risks.
The rules also emphasize materiality and reporting timelines. Companies must disclose a material cybersecurity incident within four business days after determining the incident is material, rather than when the breach is first discovered. In addition, annual filings must describe the company’s cybersecurity risk management processes, board oversight, and management’s role in monitoring cyber threats. These requirements position cybersecurity as a governance and disclosure issue, not just a technical matter handled by IT teams.
This guide explains the SEC Cybersecurity Disclosure Rules: Requirements and Deadlines, including how material incidents are defined, when reporting deadlines are triggered, and what companies must disclose in annual filings. For legal and compliance teams responsible for evaluating and reporting material cybersecurity incidents, platforms such as Dimension AI help review cybersecurity disclosures against prior SEC filings using precedent-based workflows with traceable sources from EDGAR, helping ensure incident disclosures and governance reporting remain accurate, auditable, and aligned with SEC cybersecurity reporting requirements.
SEC Cybersecurity Disclosure Rules: Key Filing Forms and Reporting Deadlines
| Filing Form | Disclosure Purpose | Reporting Deadline | Reporting Deadline |
|---|---|---|---|
| Form 8-K (Item 1.05) | Disclosure of material cybersecurity incidents, including nature, scope, timing, and material impact | Within 4 business days after the company determines the incident is material | All U.S. public companies |
| Form 10-K | Annual disclosure of cybersecurity risk management processes, strategy, and governance oversight under Regulation S-K Item 106 | Annual filing deadline | All U.S. public companies |
| Form 20-F | Annual disclosure of cybersecurity risk management and governance for foreign private issuers | Annual filing deadline | Foreign private issuers |
| Form 6-K | Disclosure of material cybersecurity incidents or updates when the information is made public or required in the issuer’s home jurisdiction | Prompt disclosure | Foreign private issuers |
Factors Used to Assess Cybersecurity Incident Materiality
| Incident Type | Description | Potential Financial Impact | Potential Investor / Market Impact |
|---|---|---|---|
| Data Breach | Unauthorized access to sensitive customer, employee, or proprietary data | Investigation costs, remediation expenses, regulatory penalties | Loss of customer trust and investor confidence |
| Ransomware Attack | Systems encrypted or disabled by attackers demanding payment | Operational disruption, recovery costs, possible ransom payments | Concerns about operational resilience |
| Intellectual Property Theft | Theft of proprietary technology, trade secrets, or strategic data | Loss of competitive advantage and long-term revenue impact | Increased disclosure scrutiny from investors |
| System Outage from Cyber Incident | Disruption of critical systems or services caused by a cyberattack | Lost revenue, contractual penalties, operational recovery costs | Market concern over reliability of operations |
Cybersecurity Disclosure Readiness Checklist (Before a Reportable Incident)
- Establish a cross-functional incident response team that includes legal, cybersecurity, compliance, and investor relations leadership.
- Define a documented internal process for determining incident materiality in line with SEC standards used for Form 8-K Item 1.05 disclosures.
- Implement internal controls to monitor and document cybersecurity risks and incidents that could affect financial condition or operations.
- Train directors and relevant board committees on their cybersecurity oversight and disclosure responsibilities required under Regulation S-K Item 106.
Cybersecurity Disclosure Compliance Checklist (After an Incident or Filing Review)
- Confirm whether the incident meets the materiality threshold that triggers the Form 8-K four-business-day disclosure requirement.
- Review Form 10-K or Form 20-F cybersecurity risk disclosures to ensure governance and risk management descriptions remain accurate.
- Validate that internal reporting processes allow teams to identify, evaluate, and escalate incidents quickly enough to meet SEC deadlines.
- Maintain clear documentation of incident evaluations and disclosure decisions to support auditable SEC reporting and regulatory review.
Table of Contents
Section 1: MATERIAL CYBERSECURITY INCIDENT DISCLOSURE AND REPORTING TIMELINES
Section 2: CYBERSECURITY DISCLOSURES IN ANNUAL FILINGS AND CORPORATE GOVERNANCE
Section 3: DISCLOSURE EXCEPTIONS, RISK MANAGEMENT, AND ENFORCEMENT RISKS
Frequently Asked Questions
Section 1: MATERIAL CYBERSECURITY INCIDENT DISCLOSURE AND REPORTING TIMELINES
FAQ 1: What constitutes a material cybersecurity incident?
Under the SEC cybersecurity disclosure rules, a cybersecurity incident is considered material if there is a substantial likelihood that a reasonable investor would view the information as important when making an investment decision. This standard follows the long-standing SEC materiality framework and applies to disclosures required under Form 8-K Item 1.05. Companies must assess both quantitative impacts, such as financial losses or operational disruption, and qualitative factors, including potential harm to customer relationships, exposure of sensitive data, or compromise of intellectual property.
The determination focuses on the overall impact on the company’s financial condition, results of operations, or business strategy, rather than only the technical severity of the attack. Public companies typically rely on cross-functional internal review processes involving legal, cybersecurity, and executive leadership to evaluate incidents quickly and determine whether disclosure is required under the SEC’s reporting rules.
FAQ 2: When is the four-day reporting deadline triggered?
The four-business-day reporting deadline begins once a company determines that a cybersecurity incident is material under the SEC’s disclosure rules. This requirement is established under Form 8-K Item 1.05, which obligates registrants to disclose material cybersecurity incidents. The clock does not start when the incident is first detected, but when management concludes that the incident meets the SEC materiality standard based on its potential impact on the company’s financial condition, operations, or investor decision-making.
Companies are expected to make the materiality determination without unreasonable delay after discovering the incident. Once the determination is made, the company must file a Form 8-K within four business days describing the material aspects of the incident, including its nature, scope, and timing, to the extent known at the time of filing. Delays in making the determination or submitting the filing can increase regulatory risk and draw scrutiny from the SEC.
Section 2: CYBERSECURITY DISCLOSURES IN ANNUAL FILINGS AND CORPORATE GOVERNANCE
FAQ 3: What must be included in the annual 10-K filing?
Under the SEC’s cybersecurity disclosure rules, companies must include specific cybersecurity risk management disclosures in their Form 10-K under Regulation S-K Item 106. These disclosures must describe the company’s processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether and how those risks have materially affected or are reasonably likely to materially affect the company’s business strategy, results of operations, or financial condition.
The filing must also explain the governance structure for cybersecurity oversight. This includes how the board of directors oversees cybersecurity risk and the role of management in assessing and managing cybersecurity threats. Companies are expected to describe the relevant expertise, reporting structures, and processes used to monitor cybersecurity risks, ensuring that investors understand how cybersecurity is integrated into the company’s overall risk management framework.
FAQ 4: How do these rules affect foreign private issuers?
The SEC’s cybersecurity disclosure rules also apply to foreign private issuers (FPIs), but the reporting framework differs from that of domestic registrants. When a cybersecurity incident is determined to be material, an FPI must disclose the incident on Form 6-K if the company publicly discloses the information in its home jurisdiction, files it with a foreign exchange, or distributes it to security holders. This approach ensures that U.S. investors receive access to the same material cybersecurity information that the issuer provides in its primary markets.
FPIs must also include cybersecurity risk management and governance disclosures in their annual report on Form 20-F, consistent with the SEC’s cybersecurity rule updates. These disclosures require companies to describe their processes for assessing and managing cybersecurity risks and the role of management and the board in overseeing those risks, providing investors with a clear view of how cybersecurity threats are monitored and addressed.
FAQ 5: What is the board's role in cybersecurity governance?
Under the SEC’s cybersecurity disclosure rules, companies must describe how the board of directors oversees cybersecurity risks in their annual filings. These requirements appear in Regulation S-K Item 106, which requires disclosure of the board’s role in monitoring cybersecurity threats and how management reports cybersecurity risks to the board. Companies must explain whether cybersecurity oversight is handled by the full board or a specific committee, and how the board is informed about material cybersecurity risks and incidents.
The disclosure must also explain management’s role in assessing and managing cybersecurity threats, including which executives or teams are responsible for cybersecurity risk management and how they communicate with the board. The goal is to provide investors with clear visibility into how cybersecurity risk oversight is integrated into the company’s governance structure.
Section 3: DISCLOSURE EXCEPTIONS, RISK MANAGEMENT, AND ENFORCEMENT RISKS
FAQ 6: Can companies delay disclosure for national security?
Yes. The SEC cybersecurity disclosure rules allow a company to delay reporting a material cybersecurity incident if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. When this determination is made, the Attorney General provides written notification to the SEC, which allows the company to postpone the Form 8-K Item 1.05 disclosure.
The initial delay may last up to 30 days, and the Attorney General may grant an additional 30-day extension if the risk continues. Outside of this limited exception, companies must follow the standard rule and file Form 8-K within four business days after determining the incident is material.
FAQ 7: How should companies describe their risk management processes?
Under the SEC cybersecurity disclosure rules, companies must describe how they assess, identify, and manage material risks from cybersecurity threats in their annual filings. These disclosures appear under Regulation S-K Item 106 and should explain the company’s cybersecurity risk management framework, including whether cybersecurity risks are integrated into the organization’s broader enterprise risk management processes. Companies may also disclose the use of third-party service providers, consultants, or internal security teams involved in monitoring and managing cybersecurity risks.
The disclosure should focus on the structure and governance of the cybersecurity risk management program, rather than detailed technical controls that could create security vulnerabilities. Many organizations describe oversight processes, incident response planning, and internal reporting channels that inform management and the board about cybersecurity risks. Using precedent-based workflows with traceable sources from prior SEC filings can help legal and compliance teams prepare disclosures that remain auditable, verifiable, and consistent with SEC reporting expectations.
FAQ 8: What are the consequences of non-compliance?
Failure to comply with the SEC cybersecurity disclosure rules can expose companies to SEC enforcement actions, including civil penalties and investigations related to inaccurate or delayed disclosures. If a company fails to report a material cybersecurity incident under Form 8-K Item 1.05 or provides misleading information in its filings, the SEC may pursue enforcement under the Securities Exchange Act of 1934, particularly the antifraud and reporting provisions. Non-compliance can also increase litigation risk, as investors may file securities class-action lawsuits if a material cyber incident was not disclosed properly.
Beyond regulatory exposure, delayed or inaccurate cybersecurity disclosures can damage investor confidence and market credibility. Public companies are expected to maintain reliable reporting processes for incident assessment and disclosure. Dimension AI help legal and compliance teams review cybersecurity disclosures against prior SEC filings using precedent-based workflows with traceable sources, helping ensure that incident reporting remains accurate, auditable, and aligned with SEC disclosure requirements.
To access this endpoint, you must have an approved developer account, and have activated the new developer portal. When authenticating, you must use keys and tokens from a developer App that is located within a Project. Learn more about getting access to the API v2 endpoints in our "Getting started" page:
Once you have the API v2 collection loaded in Postman
The hide replies endpoint uses OAuth 1.0a user context authentication. If successful, the endpoint hides a single Reply that was published in a Tweet conversation that was initiated by an authenticated user. Each conversation supports hiding up to 725
This endpoint gives you the ability to programmatically hide or unhide replies using criteria you define. Just like the functionality in the main
There are several different tools and libraries that you can use to make a request to this endpoint, but we are going to use the Postman tool here to simplify the process.
