US Securities and Exchange Commission — public companies.

SEC Cyber Disclosure

SEC Cybersecurity Disclosure Rules (Item 1.05 and Regulation S-K Item 106)

Applies to

US public companies subject to Exchange Act reporting. Foreign private issuers are subject to a parallel framework.

Creates urgency when

A material cybersecurity incident triggers the 8-K disclosure window (four business days from materiality determination), or annual 10-K cybersecurity disclosure cycle.

Evidence burden

Materiality determination process, board governance disclosure, risk management process disclosure, incident disclosure on 8-K within four business days. Documentation of the decision-making process is the audit.

Buying-committee effect

Brings in the general counsel, CFO, board audit committee, and disclosure committee. The CISO's incident-response decisions now have securities-law consequences.

GTM angle

The newest compliance gravity well. Sold to public-company CISOs and their boards as the function that turns an incident into a disclosure decision — and the function that demonstrates governance to the regulator before the incident happens.