SEC cyber disclosure pressure

The Securities and Exchange Commission still expects public companies to report a material cyber breach fast, even as its overall enforcement docket has thinned. (sec.gov) The rule the SEC adopted on July 26, 2023 requires a company to decide materiality “without unreasonable delay” and then file a Form 8-K within four business days after that determination. The rule took effect on September 5, 2023, and incident-reporting compliance began on December 18, 2023, with smaller reporting companies getting until June 15, 2024. (sec.gov) The same rule also added annual disclosure requirements in Form 10-K for how a company assesses cyber risk, how management handles it, and how the board oversees it. Foreign private issuers must make parallel disclosures on Forms 6-K and 20-F. (sec.gov) The SEC carved out a narrow delay only when the U.S. attorney general finds immediate disclosure would pose a substantial risk to national security or public safety. In May 2024, the SEC’s Division of Corporation Finance also told companies to use Item 8.01, not Item 1.05, for voluntary disclosures before they have concluded an incident is material. (sec.gov 1) (sec.gov 2) At the same time, the SEC said on April 7, 2026 that it filed 456 enforcement actions in fiscal 2025, including 303 standalone actions and 69 follow-on administrative proceedings. The agency said it obtained orders for $17.9 billion in monetary relief, but described fiscal 2025 as a transition year and said it was shifting resources toward fraud cases. (sec.gov) Risk.net reported those 2025 totals were the lowest level of SEC enforcement actions in 20 years, even as penalties stayed high because of earlier cases and settlements. The SEC’s own release said the year included an “unprecedented rush” of filings before the January 2025 presidential inauguration and later resolutions of cases the current Commission said were not well grounded. (risk.net) (sec.gov) That split leaves public companies with a standing disclosure regime even when the agency appears more selective about which cases it wants to bring. The legal trigger is not whether the SEC is busy; it is whether investors would view the cyber incident as material. (sec.gov) The SolarWinds case shows both the pressure and the limits of that approach. A federal judge in July 2024 let only a narrower slice of the SEC’s fraud case proceed, centered on alleged misstatements outside routine filings, and the SEC dismissed the action with prejudice on November 20, 2025. (nysd.uscourts.gov) (sec.gov) The SEC said that dismissal was “in the exercise of its discretion” and did not necessarily reflect its position on other cases. The rulebook, meanwhile, has not changed: public companies still have to make fast calls on materiality, draft incident disclosures, and explain their cyber governance in annual reports. (sec.gov 1) (sec.gov 2)