Loading...
Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
US Securities and Exchange Commission rules requiring public companies to disclose material cybersecurity incidents within 4 business days on Form 8-K and provide annual cybersecurity risk management, strategy, and governance disclosures on Form 10-K. Relevant to EU companies dual-listed on US exchanges.
4 Days
Incident Disclosure
8-K
Incident Form
10-K
Annual Disclosure
All Listed
Companies
26 July 2023
SEC adopts final cybersecurity disclosure rules
18 December 2023
Form 8-K incident reporting effective for large filers
15 June 2024
Smaller reporting companies compliance deadline
2025
SolarWinds enforcement case dismissed; regulatory landscape evolving
Disclose material cybersecurity incidents on Form 8-K within 4 business days of materiality determination. Include nature, scope, timing, and material impact or reasonably likely material impact.
Annual disclosure of processes for assessing, identifying, and managing material cybersecurity risks, including oversight of third-party service providers.
Describe the board’s oversight of cybersecurity risks and management’s role and expertise in assessing and managing those risks.
Foreign private issuers must furnish material incident information on Form 6-K and provide annual governance disclosures on Form 20-F.
SEC enforcement actions
Civil penalties, injunctions, officer bars, and disgorgement. Amounts vary by case. The SolarWinds CISO case (dismissed 2025) tested the boundaries of personal liability for cybersecurity disclosures.
We provide structured preparation and compliance support for SEC Cybersecurity Rules.
Schedule a consultation with our regulatory experts to assess your SEC Cybersecurity Rules compliance posture and build a practical roadmap.