SEC cyber disclosure still mandatory
- SEC rules continue to require rapid disclosure of material cyber incidents and stronger governance reporting. (scworld.com) - At the same time, SEC enforcement actions are at a 20‑year low, though penalties from prior cases remain significant. (risk.net) - Cyber incidents can quickly become securities‑law events, forcing closer coordination between security, legal and investigations teams. (scworld.com)
Public companies still have to tell investors about a material cyberattack fast, even as the Securities and Exchange Commission says it brought fewer enforcement cases in fiscal 2025. (sec.gov 1) (sec.gov 2) The Securities and Exchange Commission adopted the cyber disclosure rules on July 26, 2023. They require most issuers to file an Item 1.05 Form 8-K within four business days after deciding a cyber incident is material to investors. (sec.gov 1) (sec.gov 2) The same rule package added annual reporting duties under Item 106 of Regulation S-K. Companies now have to describe how they assess cyber risk, how management handles it, and how the board oversees it in the Form 10-K. (sec.gov 1) (sec.gov 2) The deadline turns a network breach into a securities-law question as soon as executives start weighing whether the incident is material. The SEC’s staff said in May 2024 that companies that disclose before reaching a materiality decision should usually use a different Form 8-K item, such as Item 8.01, instead of Item 1.05. (sec.gov) The rule does not require technical play-by-play that could help attackers. In a December 2023 speech, SEC staff said the required disclosure is meant to focus primarily on the incident’s impact, not detailed information about how the intrusion worked. (sec.gov) Enforcement has become a less reliable signal of immediate risk. The SEC said on April 17, 2026 that it filed 434 total enforcement actions in fiscal 2025, down from 583 in fiscal 2024, while still collecting about $8.2 billion in financial remedies, the highest amount in its history. (sec.gov) Cyber cases from the last two years show the exposure can still be expensive. On June 18, 2024, four companies — Unisys, Avaya, Check Point, and Mimecast — agreed to settle SEC charges over allegedly misleading cyber disclosures for combined civil penalties of $7 million. (sec.gov) The SolarWinds case showed both the reach and the limits of that approach. The SEC sued SolarWinds and its chief information security officer in October 2023, then dismissed the case with prejudice in October 2025 after a federal court had already narrowed parts of the complaint. (sec.gov) (sec.gov) (sec.gov) That leaves public companies with the same practical problem they had when the rule took effect: security teams may find the breach first, but lawyers, finance staff, and investigators have to help decide quickly what investors must be told. (sec.gov) (sec.gov)
