Home / News

SEC Now Giving Companies a 4-Day Deadline to Reveal Cyberattacks

Photo: Tada Images / Adobe Stock

The U.S. Securities and Exchange Commission (SEC) has introduced new regulations requiring companies to disclose substantial cybersecurity incidents. These rules also mandate yearly disclosure of key information regarding cybersecurity risk management, strategy, and governance. The mandate applies to foreign private issuers as well.

SEC Chair Gary Gensler emphasizes the significance of these disclosures to investors, suggesting that they will enable more consistent, comparable, and actionable decision-making. He stated that this would benefit not only the investors but also the companies and markets in which they operate.

Under these rules, companies will need to report any material cybersecurity incident through the new Item 1.05 of Form 8-K, including the nature, scope, and timing of the incident, along with its impact. This report is typically due four business days after the incident is determined to be material. Exceptions can be made in cases where the U.S. Attorney General deems immediate disclosure a potential national security risk.

Furthermore, companies will need to explain their processes for identifying, assessing, and managing cybersecurity threats in their annual report on Form 10-K. The disclosures should include the effects of such threats and prior incidents and detail how their board of directors oversees these risks.

The rules come into effect 30 days after publication in the Federal Register. From December 15, 2023, yearly disclosures will be mandatory for fiscal years ending on or after this date. Smaller companies get an extra 180 days to prepare for the disclosure through Form 8-K. Disclosures must be tagged in Inline XBRL one year after initial compliance with the relevant disclosure requirement.


By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet




Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix