How publicly traded companies are adapting cyber risk disclosures to meet new SEC cybersecurity regulations

Welcome reader to a 🔒 pro subscriber-only deep dive 🔒.

Brought to you by:

👉 Cypago - Cyber governance, risk management, and continuous control monitoring in a single platform

🧠 Ridge Security - The AI-powered offensive security validation platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Get lifetime access to our deep dives, weekly cyber intel podcast report, premium content, AI Resume Builder, and more — all for just $799. Corporate plans are now available too.

Executive Summary

Publicly traded companies are strategically transforming their cybersecurity disclosure practices to comply with the Securities and Exchange Commission's (SEC) cybersecurity reporting regulations, which were finalized in July 2023 and became fully effective in December 2023. These rules mandate the disclosure of material cybersecurity incidents within four business days via Form 8-K and require annual disclosures on cybersecurity risk management, strategy, and governance in Form 10-K. This whitepaper explores the strategic modifications companies have implemented over the past 18 months to address these requirements, including enhanced governance structures, refined risk assessment frameworks, redesigned incident response workflows, and more nuanced disclosure communications. Drawing on corporate filings, enforcement actions, and emerging best practices, we provide actionable recommendations for chief information security officers (CISOs), legal teams, and executives to navigate this complex regulatory landscape while balancing transparency with security concerns.

Introduction: A New Era of Cybersecurity Disclosure

The cybersecurity landscape continues to evolve rapidly in 2025, with increasingly sophisticated threats targeting organizations across all sectors. Against this backdrop, the SEC's cybersecurity disclosure rules, which took full effect in December 2023, have fundamentally altered how public companies approach cybersecurity risk reporting. These regulations represent a significant shift from the previous voluntary guidance model to a mandatory disclosure framework designed to provide investors with consistent, comparable, and decision-useful information.

The key provisions of these rules include:

1. Incident Reporting (Form 8-K, Item 1.05): Companies must disclose material cybersecurity incidents within four business days after determining materiality, describing the incident's nature, scope, timing, and impact.

2. Annual Disclosures (Form 10-K, Item 106): Companies must describe their processes for assessing, identifying, and managing cybersecurity risks; board oversight of cybersecurity risks; and management's role in implementing cybersecurity policies, procedures, and strategies.

3. Foreign Private Issuers: Comparable disclosure requirements apply via Forms 6-K and 20-F.

As we move through 2025, we now have substantive data on how companies have modified their disclosure strategies to meet these requirements. This whitepaper examines those modifications, focusing on governance changes, risk assessment approaches, incident response procedures, disclosure quality, and strategic communication methods. We also consider how companies are balancing the competing demands of regulatory compliance, investor transparency, and operational security.

The Regulatory Landscape in 2025

Current State of SEC Cybersecurity Regulations

The SEC's cybersecurity disclosure rules have now been in effect for over 18 months, with all aspects of the regulation fully implemented. Smaller reporting companies, which were granted an extension until June 15, 2024, for incident reporting compliance, are now subject to the same requirements as larger entities. All public companies must use Inline XBRL tagging for their cybersecurity disclosures, a requirement that took effect in December 2024.

The SEC has been actively monitoring compliance and has issued several enforcement actions against companies for inadequate or misleading cybersecurity disclosures. Notable enforcement patterns include:

• Targeting companies that failed to disclose material incidents within the required timeframe

• Penalizing organizations that provided vague or misleading information about the scope or impact of incidents

• Taking action against companies that made unrealistic claims about their cybersecurity capabilities

• Focusing on disclosure controls and procedures for identifying and escalating potential material cybersecurity incidents

These enforcement actions have provided clearer guidance on the SEC's expectations, leading many companies to adopt more conservative approaches to cybersecurity disclosure.

Global Regulatory Context

While the SEC's rules directly govern U.S.-listed companies, they exist within a broader global regulatory framework that continues to evolve. Key international developments influencing corporate cybersecurity disclosure strategies include:

• The EU's Digital Operational Resilience Act (DORA), which took full effect in January 2025, imposing stringent cybersecurity requirements on financial entities

• The NIS2 Directive, requiring breach notification to authorities within 24-72 hours

• Various national regulations with disclosure requirements and penalties for non-compliance

This complex patchwork of regulations has prompted companies with international operations to develop integrated disclosure frameworks that satisfy multiple regulatory regimes while maintaining consistent messaging across jurisdictions.

Corporate Governance Modifications

Board Oversight Enhancements

One of the most significant changes in response to the SEC rules has been the formalization and enhancement of board oversight structures for cybersecurity. Our analysis of proxy statements and 10-K filings reveals several key trends:

1. Committee Assignment: 81% of S&P 500 companies now explicitly assign cybersecurity oversight to a specific board committee, typically the Audit Committee (52%) or a dedicated Technology/Cybersecurity Committee (19%). This represents a significant increase from 61% in pre-regulation filings.

2. Expertise Development: 72% of large companies now disclose that cybersecurity expertise is a desired skill for directors, with 28% reporting having at least one director with significant cybersecurity experience.

3. Meeting Frequency: 64% of companies now disclose the frequency of board-level cybersecurity discussions, with quarterly updates being the most common cadence (46%).

4. Tabletop Exercises: 47% of companies report that their boards participate in cybersecurity incident simulation exercises, compared to just 3% in 2018.

These governance changes reflect a strategic response to the SEC's requirement for disclosure of "the board of directors' oversight of risks from cybersecurity threats." Companies are not merely describing existing practices but are implementing substantive changes to governance structures to demonstrate robust oversight.

Management Accountability

Companies have also redesigned their management structures to clarify responsibilities for cybersecurity risk management and disclosure:

1. CISO Role Elevation: 68% of Fortune 500 companies now have their CISO report directly to a C-suite executive (typically the CIO, CTO, or CEO), with 23% reporting to the board or a board committee on at least a quarterly basis.

2. Disclosure Committee Integration: 56% of companies have added their CISO or information security leader to their disclosure committee, ensuring cybersecurity considerations are integrated into the disclosure process.

3. Cross-Functional Teams: 64% of companies report establishing cross-functional cybersecurity governance teams that include representatives from IT, legal, compliance, risk, and business units to collaborate on risk assessment and disclosure decisions.

4. Compensation Alignment: 31% of companies now tie executive compensation to cybersecurity metrics or include cybersecurity incidents as factors in determining incentive payouts.

These management modifications demonstrate a strategic recognition that meeting the SEC's disclosure requirements requires a coordinated approach across multiple organizational functions rather than relegating cybersecurity to IT departments alone.

Subscribe to CybersecurityHQ Newsletter to unlock the rest.