SEC: 30-day breach disclosures hit boards

The SEC story here is real, but the 30-day part is not. For U.S. public companies, the operative federal rule is a much shorter one: once a company decides a cyber incident is material, it generally has four business days to file an Item 1.05 Form 8-K. The harder part is that the SEC also expects that materiality decision to happen “without unreasonable delay.” That is why boards are suddenly in the frame — not because the SEC gave them 30 days, but because the agency tied cyber disclosure to governance, escalation, and oversight. (sec.gov) ### Where did the 30-day idea come from? It mostly comes from confusion between the SEC’s final rule and earlier debate around breach-notification timing. In the rulemaking record, commenters talked about 30-day state-law windows, and the SEC’s final release mentions those comments. But the Commission did not adopt a 30-day federal disclosure deadline for public-company cyber incidents. It adopted a different structure entirely (sec.gov)hin four business days. (sec.gov) ### So what actually changed? The big change arrived on July 26, 2023, when the SEC adopted its cybersecurity disclosure rules. Those rules did two things at once. First, they created a current-reporting trigger for material cyber incidents on Form 8-K. Second, they required annual disclosure about cyber risk management, management’s role, and the board’s oversight of cyber risk. That combination is what makes this feel board(sec.gov)ing, “Who was supposed to know, when, and how did the company decide what mattered?” (sec.gov) ### Why do boards matter so much now? Because the rule reaches past the technical incident and into the company’s decision chain. In annual disclosures, companies have to describe the board’s oversight of cyber risk and how the board or a committee gets informed. The SEC deliberately made that board disclosure high-level, not a checklist of director résumés. But high-level does not mean low-stakes. If the company says the board (sec.gov) escalation path actually worked when an incident hit. (sec.gov) ### What counts as the hard part? Materiality. A breach can be technically messy long before its business impact is clear. The SEC’s framework does not let companies wait comfortably for every forensic detail. They have to assess materiality promptly, based on what they know, and update as facts develop. The agency even warned companies not to stuff non-material or not-yet-material incidents(sec.gov)judgment, and document why. (sec.gov) ### Does the SEC allow delay at all? Yes, but only in a narrow case. Disclosure can be delayed if the U.S. Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. That is not a general-purpose escape hatch for companies still figuring things out. For most issuers, the clock still turns on the materiality determination, and the expectation of prompt assessment remains. (sec.gov) ### What does this mean inside companies? Basically, boards need cleaner plumbing. Incident response now has to connect legal, security, finance, investor relations, and the board fast enough to support a defensible materiality call. Evidence-grade logs matter. So do written escalation triggers, tabletop exercises, and clear ownership. The SEC’s rule is not saying every breach is a board failure. But it does mean a weak process can(sec.gov) very quickly. (sec.gov) ### Bottom line If you hear “SEC cyber rule equals 30-day disclosure window,” treat that as wrong. The real regime is tighter and more judgment-heavy: decide materiality without unreasonable delay, disclose within four business days, and be ready to show that management and the board had a real oversight process behind that call. (sec.gov)