Back To The Blog

One Year In: Lessons from the New SEC Cyber Disclosure Rule

Regulatory / August 19 , 2025

The new SEC Cyber Disclosure Rule took effect in December 2023. It is designed to increase transparency and consistency in the reporting of cybersecurity risks and incidents, enhance cybersecurity preparedness, and enable investors to make informed decisions. Publicly traded companies have likely already adapted their risk management strategies accordingly, but best practices continue to emerge.

We talked to Breach Coach experts Jillian Seifrit and Daniel Pepper of Fisher Phillips LLP about the impact the new cyber incident disclosure requirements have had on risk management strategy, and the top actions organizations can be taking right now to avoid exposure.

Understanding the New SEC Cyber Disclosure Rule

What is the SEC’s Cyber-Incident Disclosure Rule (Item 1.05 of Form 8-K)?

The new SEC cybersecurity rule is a regulation requiring publicly traded companies to disclose material cyber incidents within four business days of determining their materiality.

Companies must include the nature, scope, and timing of the incident. If full details are not available at the timing of filing, companies must amend the Form 8-K once more information becomes known.

What types of cyber incidents must be disclosed?

The regulation concerns those incidents that are material to investors, such as ransomware attacks, data breaches with customer or financial data exposure, or incidents affecting operational integrity.

What counts as a “material” incident in SEC cyber incident reporting?

If a reasonable investor would consider the incident important when making investment decisions, it would be considered a material cybersecurity incident—typically if it affects financials, operations, reputation, or regulatory standing.

How the New SEC Cyber Disclosure Rule Affects Companies

Have the SEC cyber disclosure rules created unexpected challenges for companies?

The rules have pressured companies to make rapid materiality judgments under high uncertainty, often with incomplete data.

What consequences have companies faced for non-compliance?

The SEC has already issued enforcement orders, including fines of up to $4 million, signaling a serious intent to enforce the rule.

For instance, Unisys Corp., a global provider of technical and enterprise IT services, was hit with a $4 million penalty for describing risks related to cybersecurity events as “hypothetical,” despite knowing it had experienced two SolarWinds-related intrusions. Unisys cooperated in providing the staff with lengthy and detailed presentations, summarizing specific factual issues, and taking steps to remediate its control deficiencies.

Another example is Mimecast Ltd., which provides cloud security and risk management services for email and corporate information. The company failed to disclose the nature of the code that a threat actor exfiltrated and the quantity of encrypted credentials accessed. As a result, Mimecast had to pay a $990,000 fine. Like Unisys, Mimecast cooperated with the staff throughout the entirety of the investigation, including giving detailed explanations, analysis, and summaries of multiple specific factual issues; conducting an internal investigation; and taking steps to enhance its cybersecurity controls.

What are some common mistakes companies are making in cyber incident report disclosures?

Many companies continue to submit vague, boilerplate statements; fail to assess materiality promptly; or misjudge the incident’s scope and impact. The reality is that companies are in a tough space. Within four days of a major incident, they may not have a lot of specific details to share. The key seems to be amending the 8-K to reflect any new information learned.

Best Practices and Proactive Steps for SEC Cyber Incident Reports

What are the major learnings from Year One?

Speed and judgment matter. Companies need protocols to rapidly assess materiality and coordinate disclosure. Determining materiality is a legal judgment that depends on SEC precedent, risk tolerance, and evolving enforcement posture. Legal teams must partner with CISOs and communications teams not just reactively, but in designing protocols that guide disclosure decisions. We have seen companies begin drafting incident playbooks, integrating legal, IT, and investor relations teams to reduce disclosure friction.

Some emerging best practices include:

  • Pre-drafting templates for Item 1.05 disclosures
  • Preparing materiality playbooks in incident response plans
  • Establishing cross-functional breach response teams
  • Conducting regular materiality training sessions

How does the rule affect cyber risk management and cybersecurity governance?

The rule makes cybersecurity a boardroom issue. Governance, incident tracking, and public messaging now require executive oversight. It also transitions cybersecurity from IT to a broader risk management function that includes HR and legal. Workforce missteps, like phishing clickthroughs, data mishandling, or unauthorized downloads, can now be material under SEC definitions.

It reinforces the idea that cybersecurity is not just a tech or legal issue; it’s a workforce issue. Insider threats, employee mishandling of data, and inadequate training can all trigger material incidents. Companies need cross-functional response plans that account for employee behavior and labor law obligations.

It also makes CISOs more prominent in risk management. They now often brief leadership and legal on materiality, timelines, and technical insights to support disclosure.

Can companies delay cyber incident reporting disclosures for national security reasons?

Yes, under certain circumstances and with written support from agencies like the DOJ or DHS.

How does the SEC cyber disclosure rule intersect with employment and HR law?

Disclosure of a cyber incident can create tension with labor law and employee privacy rights. For example, if a breach affects unionized employees or involves surveillance technologies, notice obligations or bargaining requirements may apply.

What happens if a company underreports or delays disclosure?

The company faces reputational damage, SEC enforcement, litigation risk, and potential shareholder backlash.

How should companies prepare for SEC inquiries?

Maintain detailed incident response documentation, legal memos on materiality, and internal communication records.

  • Review your incident response protocols to ensure they support rapid materiality assessment.
  • Coordinate with legal, compliance, IT, and investor relations teams to streamline post-incident reporting.
  • Assess your cybersecurity posture to reduce enforcement risk.

Are third-party breaches included in Item 1.05 disclosures?

Yes, if the breach materially impacts the registrant, even if the incident originated with a vendor or partner. This fact is especially relevant in HR and employment systems, using cloud-based platforms holding sensitive workforce data like payroll, benefits, and disciplinary records. These systems are increasingly the target of credential-based attacks and misconfiguration risks.

Get Help Complying With Cyber Incident Disclosure Requirements

As the SEC rule reaches its one-year mark, companies must be ready to meet the heightened expectations around transparency and timelines.

Fisher Phillips helps clients not only follow SEC expectations but also reduce the employee-related risks that frequently drive incidents, from phishing and credential compromise to misdelivery of sensitive information. Its cross-disciplinary team draws on decades of experience in labor law, internal investigations, and breach response.

It also advises clients not only on disclosure strategy but also on workforce behavior, insider threat mitigation, and HR vendor vulnerabilities—the factors that frequently trigger incidents.

Failure to comply is a regulatory risk, but can also damage investor trust and lead to significant penalties. Fisher Phillips can help companies assess their readiness and align their processes with SEC expectations. Learn more about Fisher Phillip’s Data Protection and Cybersecurity team.

Need help creating your cybersecurity game plan? NetDiligence® can help. Learn about NetDiligence cyber risk solutions, including Breach Plan Connect®, an on-the-go incident response app that makes creating and customizing your incident response plan fast, easy, and affordable. Start your free trial today and stay prepared to face modern day cyber threats.

Related Blog Posts

How Cybersecurity Digital Twins are Moving Proactive Security Forward

A Q&A with Chris Lafleur and Vince Kearns of Trend Micro

Cybersecurity focus is shifting from reactive to proactive. Learn how AI enables digital twins to predict attack paths, mitigate risks, and serve as the foundation for advanced AI-powered threat detection and incident response automation.

Continue Reading

One Year In: Lessons from the New SEC Cyber Disclosure Rule

A Q&A with Jillian Seifrit and Daniel Pepper of Fisher Phillips LLP

Find out how companies are adapting their risk management practices to comply with the new SEC cyber disclosure rules.

Continue Reading

How Credential Vulnerabilities Became Ground Zero for Ransomware Attacks—and How to Safeguard Against Them

A Q&A with Matt Dowling of Surefire Cyber

Credential attacks to compromise ransomware are on the rise for SMEs. We talked to Surefire Cyber’s cybersecurity expert, Matt Dowling, about how organizations can prevent them.

Continue Reading
Visit Our Blog

Download 2025 Cyber Claims Study

The annual NetDiligence® Cyber Claims Study uses actual cyber insurance reported claims to illuminate the real costs of incidents from an insurer’s perspective.

Download
Solutions
About
Contact

P.O. Box 204
Gladwyne, PA 19035
610.896.9715

© 2025 NetDiligence All Rights Reserved.