SEC Cyber Disclosure
SEC Cybersecurity Disclosure Rules (Item 1.05 and Regulation S-K Item 106)
US public companies subject to Exchange Act reporting. Foreign private issuers are subject to a parallel framework.
A material cybersecurity incident triggers the 8-K disclosure window (four business days from materiality determination), or annual 10-K cybersecurity disclosure cycle.
Materiality determination process, board governance disclosure, risk management process disclosure, incident disclosure on 8-K within four business days. Documentation of the decision-making process is the audit.
Brings in the general counsel, CFO, board audit committee, and disclosure committee. The CISO's incident-response decisions now have securities-law consequences.
The newest compliance gravity well. Sold to public-company CISOs and their boards as the function that turns an incident into a disclosure decision — and the function that demonstrates governance to the regulator before the incident happens.