With so many business activities in the 21st century occurring online or through digital systems, data breaches are a serious risk for any company. As cybercriminals become more sophisticated, and the volume of sensitive data stored by businesses continues to expand, the potential costs of data breaches have also increased. Because of these threats, the U.S. Securities and Exchange Commission (SEC) has adopted cybersecurity rules that place significant legal obligations on publicly traded companies. These rules have real consequences, and companies that fail to comply face serious regulatory risk.
Understanding what is required under the SEC’s rules and how to build an organization-wide response is not optional for public companies. A business law attorney who has a deep understanding of securities law and cybersecurity compliance can help companies address these requirements, develop proactive strategies, and respond effectively when incidents occur.
The Scale of the Data Breach Problem
According to the Identity Theft Resource Center (ITRC), there were 3,158 reported data compromises in the United States in 2024. Many companies are facing near-constant cyberattacks. A widely cited University of Maryland study found that, on average, an attack occurs every 39 seconds. The financial cost of these incidents is massive. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach in the United States was more than $10 million in 2025. These figures underscore why regulators work to ensure that cybersecurity risks are disclosed to investors.
Overview of the SEC’s Cybersecurity Rules
The SEC adopted cybersecurity disclosure rules in 2023. These rules apply to all public companies that are subject to the Securities Exchange Act. Under the cybersecurity rules, companies have two separate but related obligations: a requirement to quickly disclose material cybersecurity incidents, and a requirement to provide detailed annual disclosures about cybersecurity risk management, strategy, and governance.
Material Incident Reporting: The Four-Day Rule
Under the SEC’s rules, public companies are required to disclose material cybersecurity incidents within four business days. This disclosure is made through Form 8-K. The four-day clock does not start at the moment of the breach itself. Rather, it starts when a company determines that an incident is material.
What Is a Material Incident?
A cybersecurity incident is considered material if it is likely to have a significant impact on a company’s business. The impact may involve direct costs, lost revenue, or regulatory fines, as well as reputational damage, increased exposure to litigation, or disruption to a company’s core operations.
Examples of incidents that may be considered to be material include:
• Large-Scale Data Breaches: Discovery of unauthorized access to significant volumes of personal information for customers or employees
• Ransomware Attacks: Incidents that prevent a company from using critical systems and disrupt its business operations
• Theft of Intellectual Property: Unauthorized access to proprietary trade secrets or financial data
• Attacks on Financial Reporting Systems: Incidents that affect a company’s internal controls or the integrity of financial data
When making a disclosure using Form 8-K, a company must describe the nature, scope, and timing of the incident, as well as the material impact that the breach has had on the company.
Annual Risk Management and Governance Disclosures
In addition to reporting material incidents, public companies are required to make annual cybersecurity risk management and governance disclosures to the SEC through Form 10-K.
Risk Management and Strategy
Companies must describe their processes for identifying, assessing, and managing material cybersecurity risks. This includes:
• Risk Assessment Processes: How a company evaluates and addresses cybersecurity threats
• Third-Party Risks: How the company manages risks related to vendors, service providers, and other third parties that may have access to sensitive systems or data
• Integration With Overall Risk Management: How cybersecurity risk management is incorporated into a company’s broader risk management policies and procedures
• Previous Incidents: Whether any cybersecurity incidents have affected a company, and how those incidents were addressed
Board and Management Oversight
The SEC’s rules also require companies to disclose how boards of directors and management teams oversee cybersecurity risks. Specifically, companies must identify:
• Board Oversight: Which board members or board committees are responsible for cybersecurity oversight, and how often the board receives updates on cybersecurity risks
• Management Roles: Which management positions or committees are responsible for assessing and managing cybersecurity risks, including a discussion of their relevant backgrounds and experience in cybersecurity
• Reporting Structures: How information about cybersecurity risks is communicated between management and the board
These disclosures are designed to give investors meaningful insight into whether a company takes cybersecurity seriously.
Consequences of Non-Compliance
Failure to comply with the SEC’s rules regarding disclosures and reporting can lead to serious consequences. Companies that fail to file 8-K disclosures within the proper time periods, do not provide complete annual risk disclosures, or fail to provide material information about governance may face SEC enforcement actions and civil penalties.
In addition to SEC penalties, inadequate disclosures can expose a company to shareholder litigation, claims of securities fraud, and reputational damage. These issues can lead to additional harm that may go beyond the immediate impact of a data breach.
Building a Cybersecurity Compliance Program
The SEC’s rules are just one part of a broader legal landscape related to cybersecurity and regulatory compliance. Companies will need to understand state laws related to data breach notifications and industry-specific regulations that may need to be addressed. A comprehensive cybersecurity compliance program will need to address all of these requirements.
Companies that approach cybersecurity compliance proactively by developing effective policies, conducting regular risk assessments, training employees on proper cybersecurity procedures, and putting incident response plans in place will be positioned to meet their regulatory requirements, reduce the likelihood of a breach, and respond correctly if a breach does occur.
Working With an Attorney to Address Cybersecurity Issues
The SEC’s cybersecurity rules are complex, and the stakes in matters related to data breaches are high. By working with an attorney who understands data privacy, securities laws, cybersecurity regulations, and effective policies for data security and risk management, a company can take meaningful steps to address these issues.
Before an incident occurs, a lawyer can help a company develop a written cybersecurity incident response plan, establish internal protocols for determining whether an incident is material, and make sure annual cybersecurity disclosures are filed correctly. When an incident does occur, the pressure to act quickly can lead to costly mistakes. An attorney can guide a company through the process of responding to a data breach, including filing the proper disclosures, notifying shareholders or customers, and taking steps to limit the impact of the breach.
