As cybersecurity threats grow more sophisticated, the Securities and Exchange Commission’s (SEC) latest disclosure rules, effective December 18, 2023, require public companies to report material cybersecurity incidents within four business days and regularly disclose their governance and risk management practices. While these regulations aim to improve transparency and protect investors, they have sparked concerns regarding over-disclosure and increased legal exposure.
Critics question whether these rules will strengthen cybersecurity practices or force companies to submit excessive disclosures that increase vulnerability and dictate business behavior. Early cases show varied responses from firms handling high-profile breaches, with mixed effects on investor confidence and corporate accountability.
As the rules take effect, their broader implications for safeguarding sensitive data and refining security strategies will be critical in shaping how organizations navigate the regulatory landscape.
The SEC began guiding cybersecurity disclosures in 2018, emphasizing timely communication with investors about potential threats that could impact their decisions. The legal landscape for cybersecurity oversight shifted with Uber’s 2016 data breach, which led to the first criminal conviction of an executive for concealing such an event. Joe Sullivan, Uber’s former chief security officer, was sentenced to probation and fined $50,000 in 2023, underscoring the heightened legal risks and ethical obligations facing executive-level staff, as reported by the New York Times.
On July 26, 2023, the SEC formalized these expectations with rules under Item 1.05 of Form 8-K,[1] requiring public companies to report material incidents within four business days of determining materiality[2] and to provide annual updates on their cybersecurity risk management practices in Form 10-K, according to PwC. Additionally, corporate boards must disclose their cybersecurity expertise to shareholders, promoting greater accountability at the highest levels. These rules aim to establish clearer guidelines for disclosure frequency and depth, ensuring transparency around incidents that could influence company performance, investor confidence, and financial decision-making.[3]
The SEC’s scrutiny now extends to internal controls in cybersecurity oversight, as illustrated by high-profile cases such as SolarWinds (2021) and R.R. Donnelley (2024). The SEC reports that while SolarWinds largely avoided penalties related to accounting controls,[4] it still faces charges for misrepresenting its security practices. R.R. Donnelly was fined $2.1 million for mismanaging third-party providers during a ransomware attack that led to delayed disclosures.
A remaining challenge is defining “materiality.” The Financial Times notes that some firms submit incomplete provisional disclosures while they assess incidents. In addition, companies have adopted different thresholds for determining materiality, and many have filed heavily caveated and undetailed disclosures.
Balancing transparency with security remains critical. While incomplete disclosures create challenges for investors, according to the Federal Register, premature or overly detailed disclosures can risk exposing vulnerabilities, giving threat actors a potential roadmap to exploit security weaknesses. In 2023, the Department of Justice explained that the ALPHV (Blackcat) ransomware attack on software company MeridianLink illustrated these risks. The ransomware group threatened to publicly release stolen data and filed a whistleblower tip to the SEC after failing to extract a ransom, as reported by Debevoise & Plimpton. This incident highlights how threat actors can manipulate regulatory requirements for extortion, underscoring the importance of balancing SEC disclosure timelines with protections against cybercriminal exploitation. As companies navigate the dilemma of under- or over-disclosure, critics argue that the current regulations encourage a focus on compliance over substantive cybersecurity improvements to mitigate risks to investors.
While short-term impacts on stock prices following disclosures can be modest, the long-term effects remain unclear. Between November 2023 and September 2024, 44 companies filed Form 8-Ks for cybersecurity incidents, with an average share price drop of 0.7 percent on the first day and 2.1 percent over five days, according to The Wall Street Journal. In other cases, stock prices remained stable or even increased after disclosures. These outcomes suggest that cyber incidents may be increasingly priced into business operations, while other factors, like ongoing investigations and company resilience, likely drive more extreme jumps in stock prices. For example, firms like B. Riley Financial and Meta Materials, already under regulatory scrutiny, experienced significant declines of 22.9 percent and 15.6 percent, respectively, within five days of their disclosures.
In today’s environment, the Harvard Law School Forum on Corporate Governance states that investors expect greater accountability for how companies manage cyber threats that could harm their financial health and reputations. High-profile breaches, such as those involving Uber and SolarWinds, show that mismanaging cyber risks can lead to severe legal consequences, damage corporate reputations, and erode investor trust. The SEC’s new disclosure rules push companies to communicate more clearly and proactively mitigate against cyber risks, marking a pivotal moment in cybersecurity governance.
According to Thomson Reuters, managing third-party risks presents a significant challenge. Many companies outsource large portions of their cybersecurity operations, creating vulnerabilities outside their direct control. A 2023 survey in The Wall Street Journal revealed that 42 percent of chief information security officers outsource over a quarter of their cybersecurity budgets, indicating a substantial reliance on external providers. As reported by The Financial Times, incidents like the global IT CrowdStrike outage show how centralized cloud providers and security vendors can introduce vulnerabilities in concentrated operational systems. Companies such as Google, Amazon, and Microsoft—which collectively dominate 60 percent of the cloud provider market—benefit from economies of scale but are also at risk of network failures. The SEC’s rules compel companies to disclose their reliance on third-party providers, making transparency in these relationships crucial for investor protection.
The disclosure framework also forces boards of directors to assess and reveal their cyber expertise, shifting greater accountability to the C-suite and boardroom. Frameworks like the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework and Center for Internet Security Controls have evolved, introducing governance-focused functions that emphasize accountability, according to MSSP Alert. By requiring boards to demonstrate their cybersecurity expertise, the SEC is reinforcing the idea that cybersecurity is a key component of corporate governance, not just an IT issue. Noncompliance carries steep penalties; the SEC warns that companies that fail to meet disclosure requirements risk substantial fines, investor lawsuits, and reputational damage.
The importance of the SEC’s rules is magnified by the broader digital ecosystem. As quantum hacking threats loom and cryptographic standards evolve, the regulatory landscape is adapting to encompass both present and future risks. NIST’s work on quantum-resistant algorithms, for example, demonstrates that companies must stay ahead of emerging threats to ensure the longevity of their cybersecurity frameworks, according to IBM. The SEC’s rules are not just about compliance—they push companies to rethink their cybersecurity strategies in alignment with future technological challenges.
Looking ahead, companies must prepare for a future where cyber threats are not a possibility but an inevitability.[5] Cybersecurity strategies must include regular risk assessments, incident response plans, and recovery measures.
NIST’s newly developed quantum-resistant algorithms represent a significant step in this preparedness, offering the foundation for quantum-safe encryption. However, widespread adoption of these algorithms will take time, particularly in industries that have not yet begun to future-proof their digital infrastructure.
The challenge for companies will be balancing SEC compliance with building cybersecurity strategies that protect against threats. As boards face increasing pressure to demonstrate competence, collaboration between private companies and government bodies reflects an effort to fortify a structured defense.
In summary, the SEC’s expanded enforcement is reshaping the cybersecurity landscape. From managing third-party risks to preparing for quantum hacking, companies must now integrate regulatory compliance with long-term strategic planning to protect both their operations and their investors.
The Milken Institute Inclusive Capitalism Program (ICAP) focuses on the importance of DEI across the business community.
