In December 2023, as cyberattacks surged, the U.S. Securities and Exchange Commission (SEC)began enforcing new cybersecurity disclosure rules. This pushed C-level executives and boards to adopt measures for compliance and transparency. In this post, we look at the enforcement actions the SEC has taken and what public company CISOs should do to stay in compliance.

Cyberattacks surge, the SEC takes action and boards pay attention

In recent years, cyberattacks have become more sophisticated, affecting public and private organizations alike. Recognizing the critical need for transparency and robust cybersecurity measures, the U.S. Securities and Exchange Commission adopted new cybersecurity disclosure rules in July 2023, which took effect in September 2023, with compliance required by December 2023.

These rules, which mandate that all public companies disclose material cybersecurity incidents within four business days and detail their risk management strategies, highlight that cybersecurity is a board-level risk management concern.

As part of their fiduciary duties, boards play a key role in the oversight of risks from cybersecurity threats. In partnership with senior executives, they need to pay close attention to the risks their companies face and the strategies those companies put in place to comply.

As the rules were authorized in late 2023, we shared what we see as the implications for infosec leaders. This post explores the impact of these regulations after one year. We also look at recent enforcement actions and measures that companies should consider adopting to promote compliance and bolster their cybersecurity posture.

An important note: In 2025, there will be changes in SEC leadership, which could affect these rules. But they’re just one example of the additional attention governments around the world are giving to cyber risk.

The EU recently issued the network and information systems (NIS)2 Directive, aimed at improving cybersecurity across member states. It requires the reporting of “significant” incidents within 24 hours, a more detailed report within 72 hours and a final report within a month. Other more focused rules, such as the General Data Protection Regulation (GDPR) in Europe, although it doesn’t have incident disclosure provisions, have driven significant change for companies that want to do business in that region.

It comes down to trust. Tenable CEO Amit Yoran had a clear point of view when he wrote about the rules as they took effect.

“The SEC’s rule will force what companies should have been implementing all along; informed cyber risk management practices,” he said. “Requiring companies to provide annual updates of their cybersecurity risk management strategy and governance and report material breaches within four business days will force leadership to pay attention and keep customers and investors better informed as to who they trust with their business.”

Key requirements of the SEC’s cybersecurity disclosure rules

With that as a backdrop, CISOs looking to support stakeholders like legal, finance, investor relations and boards in these efforts should understand a few things about the SEC rules.

The SEC requires public companies to disclose material cybersecurity incidents within four business days of determining their materiality using an 8-K form. This requirement aims to give investors timely and relevant information about potential risks that could impact business operations and financial performance.

At a conference held by the American Institute of Certified Public Accountants (AICPA) and the Chartered Institute of Management Accountants (CIMA) in December, Sebastian Gomez Abero, Associate Director of the Division of Corporate Finance (DCF) Disclosure Review Program emphasized that materiality, rather than the discovery of a breach, is the trigger for disclosing a cybersecurity incident. According to an EY summary of his remarks provided by the conference organizations, Gomez Abero also reminded registrants that both quantitative and qualitative factors should be considered in their materiality assessment of a cybersecurity incident.

In addition, companies must include descriptions of their cybersecurity risk management and governance practices annually in their 10-K or 20-F reports. The rules essentially validate cybersecurity as an important component of risk management, within a robust corporate governance program. Recent 10-Ks from a number of companies incorporated these new requirements.

According to the EY conference summary, Gomez Abero reminded registrants to provide sufficient detail in their annual cybersecurity disclosures for a reasonable investor to understand the organization’s processes to assess, identify and manage material risks from cybersecurity threats, rather than just stating that a process exists. In addition, registrants that have a management group to assess material cybersecurity risk need to disclose each member’s individual expertise.

Big fines and penalties from enforcement actions

Since the introduction of the cybersecurity rules, the SEC has taken significant enforcement actions to ensure compliance, including issuing fines and negotiating settlements with various companies.

For example, in October 2024, the SEC fined Unisys Corp., Avaya Holdings Corp., Check Point Software Technologies Ltd. and Mimecast Limited a combined total of almost $7 million for allegedly misleading disclosures related to their exposure to the SolarWinds cyberattack.

In the same order, the SEC alleged that these firms downplayed their involvement, which led to misleading investors about potential impacts. Each company settled without admitting or denying the allegations.

In another notable enforcement action by the SEC, R.R. Donnelley & Sons Company (RRD) agreed in June 2024 to pay more than $2.1 million for inadequate disclosure and poor management of significant cybersecurity incidents from 2021. The SEC found that RRD’s internal processes failed to properly elevate and disclose these incidents to senior management in a timely manner, underscoring the importance of having robust incident management frameworks in place.

Lessons learned

There are three key lessons to keep in mind as you work to help your organization meet the SEC cybersecurity requirements:

1. Be transparent. Your organization’s incident management and disclosure practices are being scrutinized. It’s not just the board and senior executives paying attention — your company’s investors want to understand your organization’s cyber risk. Choose a forthright and straightforward approach to meet the 8-K disclosure requirements, such as establishing a cybersecurity disclosure committee and a materiality framework for regularly assessing cyber incidents. Doing so could help your organization avoid fines.
2. View cyber risk as business risk. Your cybersecurity risk management and governance practices are of strategic importance to your organization. The 10-K and 20-F requirements codify the importance of having a robust strategy for cybersecurity. Rather than seeing it as a compliance chore, consider it an opportunity to educate the board and investors about all the ways your organization is reducing cyber risk.
3. Be proactive. Don’t treat your cybersecurity strategy as merely a once-a-year compliance task. Make sure the cybersecurity systems and processes you have in place provide continuous visibility into the entirety of your attack surface, so that you’re always ready to answer the questions “how secure are we?” and “where are we at risk?”

Exposure management can help meet the SEC requirements

So what can a CISO do about this? It starts with a comprehensive cybersecurity program, including exposure management, which gives CISOs the information they need to communicate with legal, finance, investor relations, boards and other internal stakeholders about vulnerabilities and cyber incidents so that those can be appropriately captured in the company’s cyber risk management and public reporting.

Exposure management equips an organization with the tools needed to meet the SEC’s cybersecurity disclosure requirements by aligning cybersecurity efforts with business risk management.

Exposure management provides comprehensive visibility into the organization’s attack surface, prioritizes vulnerabilities based on their potential business impact and delivers actionable insights that inform the preparation of risk management filings. Moreover, exposure management is part of a cyber program that can identify cyber risks and incidents that may need to be reported in filings. With easily understood, dynamically updated dashboards that a CISO can use to gain visibility into companywide exposures, exposure management is critical for ensuring compliance and demonstrating a strong security posture.

Plus, an exposure management strategy that integrates asset visibility, risk prioritization and incident response — along with strong partnerships between the CISO, legal, IR and finance — ensures that organizations can accurately report their practices and responses at any point in time because of the continuous monitoring built into exposure management.

By focusing on vulnerabilities that pose the greatest threat to business operations, companies can allocate resources effectively and build a cybersecurity program that supports regulatory compliance.

What the C-suite should consider

For CISOs, adopting an exposure management program ensures they can provide legal, finance, investor relations, boards and other executives with clear, actionable insights into the organization’s cybersecurity risks.

Exposure management helps inform decision-making and supports the development of comprehensive risk management frameworks, enabling companies to address threats proactively and build confidence among investors and stakeholders.

The entire C-suite should approach the SEC’s new rules with an eye toward integrated and forward-looking cybersecurity strategies. As part of that effort, it’s crucial to develop and maintain comprehensive incident response plans that can be deployed swiftly to meet the four-day disclosure mandate.

Preventative measures for compliance

To meet the SEC’s cybersecurity disclosure rules and reduce the risk of breaches that could lead to significant regulatory and financial consequences, organizations must adopt proactive strategies that strengthen their defenses. The following preventative measures outline key steps companies should take to enhance their cybersecurity posture and ensure compliance.

• Vulnerability management: Effective vulnerability management is essential for maintaining a strong cybersecurity posture. Automated vulnerability assessment tools can regularly inspect infrastructure and promptly identify security gaps.
• Zero trust architecture: A zero trust security model operates on the principle that no user or device, whether inside or outside the organization’s network, should be trusted by default. Implementing zero trust means continuously verifying each user and device that attempts to access company resources, ensuring strict authentication, authorization and validation throughout the user session.

Takeaways

The SEC’s cybersecurity disclosure rules underscore the critical importance of transparency and proactive risk management in today’s digital landscape.

Although compliance requires effort and resources, it also presents an opportunity for companies to build trust with investors and stakeholders.

By prioritizing robust cybersecurity practices that focus on prevention, enterprises can better align with regulatory expectations and be prepared for critical reporting requirements. They can close exposures and become resilient, responsible leaders in an increasingly risky world.

Learn more