SEC cyber disclosure focus

The Securities and Exchange Commission is bringing fewer cases overall, but it is still pressing public companies on cyber disclosures. (sec.gov) The agency said on February 26, 2026 that it filed 583 total enforcement actions in fiscal 2025, down from 749 in fiscal 2024. Risk.net reported that overall enforcement activity fell to a 20-year low even as cyber disclosure stayed high on legal and compliance agendas. (sec.gov) (risk.net) The disclosure rules at the center of that pressure were adopted on July 26, 2023. They require public companies to disclose a material cybersecurity incident on Form 8-K within four business days after deciding the incident is material, unless the U.S. attorney general grants a delay for national security or public safety reasons. (sec.gov) The same rule package also requires annual disclosures about how a company manages cyber risk, how cyber threats affect strategy, and how boards oversee the issue. Those annual disclosures appear in Form 10-K for domestic issuers and Form 20-F for foreign private issuers. (sec.gov 1) (sec.gov 2) That puts the hard work inside the company. Security teams have to escalate incidents fast, lawyers and executives have to decide materiality “without unreasonable delay,” and disclosure staff have to preserve enough evidence to support what the company says publicly. (sec.gov) (scworld.com) The Securities and Exchange Commission has also signaled that boilerplate language is not enough. On June 18, 2024, it charged Unisys, Avaya, Check Point Software Technologies and Mimecast with misleading cyber-risk disclosures, and Unisys separately with disclosure-controls violations; the companies agreed to pay combined civil penalties of $7 million. (sec.gov) The agency’s SolarWinds case showed both the reach and the limits of that approach. The Securities and Exchange Commission sued SolarWinds and its chief information security officer in October 2023, then dismissed the case with prejudice in November 2025 after a federal court had narrowed parts of the complaint in July 2024. (sec.gov 1) (sec.gov 2) (sec.gov 3) Even some commissioners have warned against turning every cyber event into a securities filing. In an October 22, 2024 statement, Commissioners Hester Peirce and Mark Uyeda said too much immaterial disclosure could distract investors and pointed back to the rule’s focus on business impact rather than technical minutiae. (sec.gov) For public companies, the calendar is now part of the incident response plan. The question after a breach is no longer only how to contain it, but how quickly the company can decide what investors must be told and defend that judgment on the record. (sec.gov) (pwc.com)