The New Regulatory Reality
As of December 18, 2023, public companies must disclose material cybersecurity incidents within four business days (Form 8-K, Item 1.05). Additionally, annual reports must include information about cybersecurity risk management, strategy, and governance (Regulation S-K Item 106).
| Requirement | Effective Date |
|---|---|
| Form 8-K incident disclosure | December 18, 2023 |
| Form 8-K (smaller companies) | June 15, 2024 |
| Form 10-K annual disclosure | Fiscal years ending Dec 15, 2023+ |
Key Requirements
Incident Disclosure (Form 8-K)
- Timeline: Four business days after determining materiality
- Content: Nature, scope, timing, and material impact
- Exceptions: National security or public safety delays (with DOJ approval)
Annual Disclosure (Form 10-K)
- Risk management processes
- Board oversight of cybersecurity risk
- Management’s role in assessing and managing risk
Determining Materiality
This is where many organizations struggle. Materiality isn’t just about the direct cost of an incident – consider:
- Reputational harm
- Regulatory consequences
- Litigation risk
- Business disruption
Board-Level Considerations
Boards must now demonstrate competence in cybersecurity oversight:
- Regular briefings from security leadership
- Understanding of the organization’s risk appetite
- Involvement in incident response planning
How AlphaONE Supports Compliance
Our vCISO services help organizations:
- Develop materiality assessment frameworks
- Prepare board-ready cybersecurity reports
- Establish incident response processes aligned with disclosure requirements
Need help preparing for SEC scrutiny? Contact our GRC team.
