Safeguard
Compliance

SEC cybersecurity disclosure rules for public companies

The SEC's 2023 rules give public companies four business days to disclose material cyber incidents. Here's what triggers the clock, and how supply chain visibility keeps you compliant.

James
Principal Security Architect
7 min read

In July 2023, the SEC voted 3-2 to adopt new cybersecurity disclosure rules that fundamentally changed how public companies talk about breaches. The headline requirement: material cybersecurity incidents must be disclosed on Form 8-K within four business days of determining they're material — not four days after discovery, four days after a materiality determination that companies are expected to make "without unreasonable delay." The rules also created a new annual disclosure obligation, Item 106 of Regulation S-K, requiring companies to describe their cybersecurity risk management processes and board oversight in every 10-K. Enforcement has already followed: the SEC charged SolarWinds and its CISO personally in October 2023, and settled with R.R. Donnelley for $2.125 million in June 2024. For CISOs and general counsel, this isn't theoretical compliance risk anymore. It's a four-day clock, a materiality judgment call, and now, personal liability exposure tied directly to how well you can actually see and manage risk across your software supply chain.

When did the SEC's cybersecurity disclosure rules take effect?

The rules took effect in two stages tied to specific dates. Item 1.05 of Form 8-K (the incident disclosure requirement) applied to all registrants except smaller reporting companies starting December 18, 2023; smaller reporting companies got an additional 180 days, becoming subject to it on June 15, 2024. The annual disclosure requirements under Item 106 of Regulation S-K applied to annual reports for fiscal years ending on or after December 15, 2023 — meaning most calendar-year filers had to include the new cybersecurity governance section in their 10-K filed in early 2024. Foreign private issuers face parallel requirements through Form 6-K and amendments to Form 20-F. The rules were adopted on July 26, 2023, giving companies roughly five months to build the internal processes needed to actually meet a four-business-day disclosure window — a timeline that caught many security and legal teams underprepared.

What has to go into the Form 8-K after a material incident?

The 8-K under Item 1.05 must describe the material aspects of the incident's nature, scope, and timing, plus its material impact or reasonably likely material impact on the company, including its financial condition and results of operations. Companies don't need forensic certainty — the rule requires disclosure based on information available at the time, with amendments permitted as new material information emerges. The four-business-day clock starts at the moment the company determines materiality, not at the moment an incident is detected, which means the real compliance risk sits in how fast an organization can triage and assess impact. There is one narrow exception: if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, the SEC can permit a delay of up to 30 days, extendable in additional 30-day increments up to a total of 60 days in most cases, or longer in extraordinary circumstances involving ongoing national security threats.

How does the SEC decide if a cybersecurity incident is "material"?

Materiality follows the long-standing securities law standard from TSC Industries v. Northway: information is material if there is a substantial likelihood that a reasonable investor would consider it important, or if it would alter the total mix of information available. The SEC explicitly told registrants to weigh both quantitative factors (direct costs, remediation spend, lost revenue, litigation exposure) and qualitative factors (reputational harm, competitive disadvantage, regulatory scrutiny, or effects on customer or vendor relationships). Notably, the SEC has stated that a registrant cannot avoid disclosure simply by concluding an incident is immaterial because no data was exfiltrated or because the incident only affected a third-party vendor. The MeridianLink case in November 2023 illustrates how fast this plays out in practice: the ALPHV/BlackCat ransomware group, after breaching MeridianLink, filed a complaint directly with the SEC alleging the company hadn't disclosed the incident within four days — using the new rule itself as a pressure tactic, before the mandatory compliance date had even arrived.

What ongoing disclosures does Item 106 require every year?

Item 106 requires every 10-K to describe, in plain terms, the company's processes for assessing, identifying, and managing material risks from cybersecurity threats, and how the board and management oversee that program. Specifically, companies must disclose whether cybersecurity processes are integrated into the overall risk management system, whether the company engages third-party assessors or consultants, and — critically for supply chain security — whether and how the company oversees risks from third-party service providers it relies on. Companies must also identify which board committee or role (such as a CISO) is responsible for cybersecurity oversight, how often that group is briefed, and management's relevant expertise. This isn't a one-time filing; it's a recurring annual disclosure that regulators, plaintiffs' attorneys, and institutional investors now compare year over year, so vague boilerplate ("we take security seriously") is increasingly conspicuous by its lack of specifics.

What happens if a public company gets disclosure wrong?

Non-compliance now carries direct enforcement risk, including personal liability for security leaders — not just corporate fines. In October 2023, the SEC charged SolarWinds and its CISO, Timothy Brown, with fraud and internal control failures, alleging the company misled investors about cybersecurity risks known internally before the 2020 Sunburst supply chain attack; this marked the first time the SEC pursued an individual CISO for disclosure-related securities fraud. In June 2024, the SEC settled with R.R. Donnelley & Sons for $2.125 million over disclosure controls failures tied to a 2021 ransomware incident, finding the company's internal reporting hadn't gotten timely, complete information to the people who needed to make disclosure decisions. Beyond SEC enforcement, inadequate disclosures create exposure to shareholder derivative suits and securities class actions — the 2023 MOVEit breach, which compromised data at more than 2,500 downstream organizations tied to a single third-party software vendor, triggered dozens of such suits within months.

Why does software supply chain risk matter for SEC disclosure compliance?

Because a growing share of material incidents originate in third-party code and vendors, not in a company's own infrastructure, and Item 106 explicitly requires disclosure of how that risk is managed. SolarWinds, MOVEit, and the Log4j (Log4Shell) crisis before them all demonstrate the same pattern: a vulnerability or compromise in a single upstream component can create material impact across thousands of downstream organizations simultaneously. To satisfy Item 106's requirement to describe third-party risk oversight, and to meet the four-business-day 8-K clock when a supply chain component is compromised, companies need continuous visibility into what open-source and third-party software is actually running in production, which vulnerabilities are exploitable versus theoretical, and evidence of how quickly the organization can assess and act. Without an accurate, current software bill of materials and a working remediation pipeline, "we don't yet know if this is material" can stretch well past four business days — and that delay itself becomes the disclosure failure the SEC now actively pursues.

How Safeguard Helps

Meeting the SEC's four-day materiality clock requires knowing, in minutes rather than weeks, whether a newly disclosed vulnerability or compromised dependency actually reaches exploitable code in your production environment — which is exactly what Safeguard's reachability analysis is built to answer, cutting through the noise of theoretical CVEs to surface what's genuinely material. Griffin AI, Safeguard's security assistant, triages incoming threat intelligence and vulnerability data against your live software supply chain so security and legal teams can make a documented materiality determination fast, with an audit trail to show the board and regulators. Safeguard's automated SBOM generation and ingest keeps a continuously current inventory of every open-source and third-party component in your applications, directly supporting the Item 106 requirement to describe third-party risk oversight processes. And when a fix is needed, Safeguard's auto-fix pull requests remediate vulnerable dependencies immediately, shrinking the gap between "we found it" and "we fixed it" — the same gap regulators are now scrutinizing when they ask why disclosure took longer than four business days.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.