Skip to main content
Home Insights Tech Talk SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December
  • Data Privacy & Security
  • July 27, 2023

SEC’s New Cyber Incident Disclosure Requirements Will Go Into Effect in December

Kelly Ruane Melchiondo

Photo illustrating a cyber attackCome December 2023, public companies will have a very narrow window to report cybersecurity incidents that materially affect their companies. Companies will also have to report annually how they assess and manage cybersecurity threats at the Board and management levels. 

The Securities and Exchange Commission (SEC) voted on Wednesday, July 26, 2023, 3-2 along party lines, to adopt rules that require registrants to disclose on a new Item 1.05 of Form 8-K any “material” cybersecurity incidents, within four days after registrants determine any such incident to be material. Registrants must also disclose the nature, scope and timing of the incident, and its material or reasonably likely material impact on the registrant. Foreign private issuers must file Form 6-K to report material cybersecurity incidents.

The new four-day disclosure period may only be delayed if the United States Attorney General—not the registrant—believes that immediate disclosure would pose a substantial risk to national security or public safety. 

In addition to ad hoc disclosures of material incidents, starting in December, public companies will now also have to include yearly information on their 10-K annual reports about the processes by which they assess, identify and manage material risks from cybersecurity threats. Registrants’ yearly disclosures must also include the material, or reasonably likely material, effects that cybersecurity threats and incidents pose for those registrants. In their 10-K filings, registrants must also describe their board’s oversight of risks from cybersecurity threats, and their management’s role and expertise in assessing and managing material risks from cyber threats. Foreign private issuers must file Form 20-F to report annually their cybersecurity risk governance and management. 

The SEC touted the rules as beneficial for investors, companies and the market. Not everyone agrees. Business leaders and cybersecurity professionals alike are sounding the alarm over the four-day mandatory public disclosure period. Disclosure to the SEC within four days of determining “materiality” of a breach could tip off bad actors to vulnerable systems before those companies have the chance to fully address or patch the vulnerabilities. Worse yet, public disclosure to a bad actor otherwise unaware that it has been exposed may prompt the bad actor to take further catastrophic action to damage or destroy the company’s systems. 

While we wait to see whether the rules will bring about these doomsday scenarios, here are the deadlines that public companies must watch out for:

Form 10-K and 20-F annual disclosures will be due beginning with the companies’ annual reports for fiscal years ending on or after December 15, 2023. 

Form 8-K and 6-K disclosures will be due beginning the later of 90 days after the date of publication of the SEC’s adopting release in the Federal Register, or December 18, 2023. 

To download a PDF copy of the blog, click here.

Related Practices
Data Privacy & Security
YOU MIGHT ALSO LIKE
Client Alert May 5, 2026
2026 HUD Rent Limit Updates and Live Local Impact
The Florida Housing Finance Corporation (“FHFC”) recently published the 2026 Income Limits and Rent Limits. These figures reflect a 9% increase in most jurisdictions’ rent limits applicable to qualifying Live Local Act projects.
Blog April 29, 2026
Fintech Partnerships Under Scrutiny: Bank–Fintech Liability Allocation
The rapid expansion of bank–fintech partnerships—particularly through banking-as-a-service (BaaS) models—has fundamentally reshaped the delivery of financial products. But as these relationships proliferate, so too does litigation risk. Many of the resulting disputes hinge on a fam...
Press Release April 28, 2026
Bilzin Sumberg Named Official Miami World Cup 2026™ Host City Supporter
The FIFA World Cup 2026™ Miami Host Committee today announced that Florida law firm Bilzin Sumberg has been named an Official Miami World Cup 2026™ Host City Supporter, recognizing the firm’s extraordinary service as legal counsel.
VIEW MORE