The United States Securities and Exchange Commission's (SEC) cybersecurity disclosure rules, which took effect for most public companies in December 2023, represent the most significant change to public company cybersecurity obligations since the SEC's 2011 guidance on the topic. For technology companies — which face cybersecurity risk across both information technology (IT) and operational technology (OT) systems as a potential victim and, in many cases, as a product or service provider whose security failures affect customers — the rules create layered disclosure obligations that require close coordination between legal, security, and executive teams.
This post addresses the two primary disclosure obligations created by the rules, the materiality standard that triggers disclosure, and the internal governance structures that enable compliant disclosure without creating additional legal exposure.
The Two Core Disclosure Obligations
The SEC rules create two distinct disclosure obligations operating on different timelines and serving different purposes.
The incident disclosure obligation, implemented through an amendment to SEC Form 8-K (Item 1.05, 17 C.F.R. § 249.308), requires public companies to disclose material cybersecurity incidents within four business days of determining that the incident is material. The disclosure must describe the material aspects of the nature, scope, and timing of the incident, and its material impact or reasonably likely material impact on the registrant.
The annual disclosure obligation, implemented through an amendment to SEC Form 10-K (Item 106, 17 C.F.R. § 249.310), requires public companies to disclose annually their processes for assessing, identifying, and managing material risks from cybersecurity threats; whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant; the board's oversight of cybersecurity risks; and management's role in assessing and managing cybersecurity risks, including relevant expertise.
The Materiality Standard: What Triggers the Four-Day Clock
The four-business-day disclosure window runs from the date the company determines that a cybersecurity incident is material — not from the date the incident is discovered, and not from the date the incident is contained. This sequence matters enormously in practice.
An incident discovered on a Monday may not be determined material until Wednesday, after the security team has characterized the scope of the compromise and the legal team has applied the materiality standard. The four-day clock then runs from Wednesday, giving a disclosure deadline of the following Tuesday. A company that starts the disclosure process on the discovery date rather than the materiality determination date will find itself better positioned than one that waits for the determination before beginning to draft.
The SEC's materiality standard for cybersecurity incidents is the same standard applied elsewhere in securities law: a fact is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. The SEC has declined to provide a bright-line dollar threshold, which means companies must make a facts-and-circumstances judgment for each incident. Relevant factors include: the scope of data accessed or exfiltrated; whether the incident affected operational or production systems; the estimated cost of remediation; third-party claims or regulatory investigations that may result; and reputational harm that could affect revenue.
For technology companies whose products are themselves cybersecurity-sensitive — automotive systems, industrial control systems, medical devices — a cybersecurity incident may be material not only because of the direct harm to the company but because of the downstream effects on customers who depend on the company's products for safety-critical functions.
The Disclosure Governance Challenge
The four-business-day window creates a governance challenge that most public technology companies have not fully solved: how do you make a reliable materiality determination for a cybersecurity incident that may still be unfolding, with incomplete information, in four business days?
The companies best positioned to meet this requirement have built a cross-functional incident classification process that runs in parallel with technical incident response. This process typically involves: a security team that characterizes the technical scope of the incident and provides structured input to the materiality analysis; a legal team that applies the materiality standard to the security team's findings and makes the disclosure determination; an executive committee that reviews the determination and approves the disclosure; and a communications team that drafts the 8-K disclosure in parallel with the determination process.
Companies that have not built this process will find themselves under time pressure to make a consequential legal judgment with inadequate preparation. Making the wrong call in either direction — disclosing an immaterial incident or failing to disclose a material one — creates different but significant legal exposure.
The Management Expertise Disclosure
The annual 10-K disclosure requirement that management discuss relevant expertise in cybersecurity risk management has created an interesting dynamic for technology companies whose products involve embedded cybersecurity. Companies with certified cybersecurity professionals on their management teams — Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), or in the automotive context, ISO/SAE 21434:2021 (Road Vehicles — Cybersecurity Engineering) certified professionals — have a concrete, credible disclosure to make. Companies whose management team lacks any disclosed cybersecurity expertise face questions from investors and analysts about the adequacy of their cybersecurity governance.
This provision has accelerated a trend already underway: the elevation of Chief Information Security Officers (CISOs) and Chief Product Security Officers (CPSOs) to positions with genuine management authority and board-level access. The disclosure obligation creates an external accountability mechanism for cybersecurity governance that was previously internal.
guibert.law Insight
Public technology companies with embedded systems products face a specific disclosure complexity: a cybersecurity vulnerability in a shipped product may create both an SEC disclosure obligation (if material to investors) and a product safety or regulatory notification obligation (if it affects safety-critical functions). These obligations run on different timelines to different recipients and have different content requirements. The internal process must be capable of managing all of them simultaneously.
Compliance Checklist
The following items represent the minimum governance infrastructure for SEC cybersecurity disclosure compliance: a written incident response plan (IRP) that includes a materiality determination step with defined criteria and a designated decision-maker; a cross-functional cybersecurity disclosure committee with defined membership and meeting protocols; a pre-drafted 8-K disclosure template for cybersecurity incidents; a board-level cybersecurity risk oversight framework documented in board minutes and committee charters; an annual 10-K disclosure process that captures the cybersecurity risk management process, board oversight, and management expertise information; and tabletop exercises that specifically test the materiality determination and four-day disclosure workflow.
Attorney advertising. The information in this post is provided for general informational purposes and does not constitute legal advice. Prior results do not guarantee a similar outcome. © 2026 guibert.law