SEC Cybersecurity Disclosure Rules: A 2026 Guide for CISOs

The SEC's cybersecurity disclosure rules are now fully operational, and scrutiny is intensifying. Since December 2023, every publicly traded company in the United States has been required to report material cybersecurity incidents within four business days of determining they are material — and to disclose its cybersecurity risk management processes, board oversight structure, and management expertise in its annual Form 10-K filing.

This is not a future obligation. It is today's compliance reality, and the consequences of getting it wrong range from SEC comment letters and enforcement actions to securities class action litigation and reputational damage that can move a stock price.

For CISOs, general counsel, and audit committee chairs navigating these requirements, this guide breaks down exactly what the rules require, how to make defensible materiality decisions, what the SolarWinds case revealed about enforcement risk, and what a compliant disclosure program looks like in practice.

The Two Core Disclosure Obligations Under the SEC's Cyber Rules

The SEC's cybersecurity rules, adopted on July 26, 2023, created two distinct but interconnected disclosure obligations for public companies.

Obligation 1 — Incident Disclosure on Form 8-K (Item 1.05)

When a company determines that a cybersecurity incident is material, it must file a Form 8-K under Item 1.05 within four business days of that determination.

Obligation 2 — Annual Governance Disclosure on Form 10-K (Item 106 / Item 1C of Regulation S-K)

Every annual report must describe the company's process for assessing, identifying, and managing material risks from cybersecurity threats, as well as the board's oversight role and management's expertise in cybersecurity risk management.

Both obligations are active for every U.S. public company right now. Understanding how each works — and where the practical traps are — is essential for any leadership team responsible for disclosure.

Form 8-K Item 1.05: The Four-Business-Day Disclosure Clock

What triggers the clock

The four-business-day reporting clock does not start when an incident occurs. It starts when a company determines that the incident is material. This distinction is critical and frequently misunderstood.

A company may discover a breach, spend days or weeks investigating it, and only then conclude it meets the materiality threshold. The clock begins at the point of that determination, not at the point of discovery. As the SEC has stated directly: the company must make a materiality determination without unreasonable delay.

What Item 1.05 requires you to disclose

When filing under Item 1.05, the company must describe the material aspects of the nature, scope, and timing of the incident. If the company has not yet determined the full impact at the time of the required filing, it must say so explicitly — and then file an amendment to its Form 8-K within four business days of when that information becomes available.

The SEC has been clear that companies cannot simply wait until a complete picture has emerged before filing. An incident can be so significant that it is determined to be material even before the full impact is quantified. In that situation, file with what you know, state what remains unknown, and amend when you have more.

Voluntary disclosure of immaterial incidents

If a company voluntarily chooses to disclose a cybersecurity incident that has not yet been determined to be material, or one that has been determined to be immaterial, the SEC strongly encourages using a different Form 8-K item — specifically Item 8.01 — rather than Item 1.05. This matters because Item 1.05 is explicitly titled "Material Cybersecurity Incidents," and using it for immaterial events creates investor confusion about the significance of the incident.

If an incident is initially disclosed under Item 8.01 as potentially immaterial, and is later determined to be material, the company must then file an Item 1.05 Form 8-K within four business days of that subsequent materiality determination.

National security exceptions

There is a limited national security carve-out. If the U.S. Attorney General notifies the SEC that disclosure of a cybersecurity incident would pose a substantial risk to national security or public safety, the company may delay its Item 1.05 disclosure. This is a narrow exception and does not apply to most commercial incidents.

The Hardest Question: What Is "Material"?

Materiality is the central judgment every public company must make after a cybersecurity incident, and it is where most compliance programs are most exposed.

The SEC's rules do not define materiality with a bright-line financial threshold. Instead, they rely on the established securities law standard: an incident is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment or voting decision.

Materiality is not just about financial impact

This is the critical point that many organizations miss. The SEC has stated explicitly that materiality assessments should not be limited to impact on financial condition and results of operations. Companies must consider qualitative factors alongside quantitative ones.

Qualitative factors that must be assessed include:

Reputational harm. Does the incident damage the company's standing with customers, partners, or regulators in a way a reasonable investor would care about?

Customer and vendor relationship impact. Does the incident jeopardize key contracts, renewal rates, or supply chain relationships?

Competitive impact. Has proprietary information, trade secrets, or strategic data been exposed to competitors?

Regulatory and litigation risk. Does the incident create meaningful risk of regulatory investigation, enforcement action, or civil litigation? This includes exposure to state regulators, sector-specific regulators, and international authorities — not just the SEC.

Operational disruption. Has the incident impaired the company's ability to deliver products or services, even temporarily?

A company may determine an incident is material even if it cannot yet quantify the financial damage. Scope, severity, and the nature of data or systems involved can each independently support a materiality determination.

The materiality determination process itself is under scrutiny

How a company reaches its materiality determination — and how well it documents that process — is itself a disclosure and governance risk. Incident materiality determinations should be cross-functional, involving security, legal, finance, and communications teams. They should be documented with a clear record of what factors were assessed, when the assessment occurred, and who participated. That documentation becomes a critical defense if the determination is later challenged by the SEC, a plaintiff's firm, or a state regulator.

Form 10-K Item 106: Annual Cybersecurity Governance Disclosures

The annual report obligation under Item 106 of Regulation S-K is less time-pressured than incident reporting, but it is generating significant SEC comment letter activity in 2026 annual reporting cycles.

Three areas the annual report must address

1. Cybersecurity risk management processes

The Form 10-K must describe the company's processes for assessing, identifying, and managing material risks from cybersecurity threats. This includes whether the company engages third-party assessors, consultants, or auditors; how it manages third-party vendor risk; and how cybersecurity risk management is integrated into the overall enterprise risk management framework.

Boilerplate language is not sufficient. The SEC has issued comment letters asking companies to describe their actual processes rather than providing generic statements that apply to any company of any size in any industry.

2. Board oversight of cybersecurity risk

The annual report must describe the board's oversight of cybersecurity risk. This includes which board committee or committees are responsible for cybersecurity oversight, how often they are briefed, and what mechanisms exist for escalation of significant incidents or risks to the board level.

Audit committees most commonly hold this responsibility, but companies should describe the actual structure — not a theoretical one. If the full board receives periodic briefings, say so. If a dedicated risk committee has been formed, describe its composition and cadence.

3. Management's role and expertise

The disclosure must describe management's role in assessing and managing cybersecurity risks, including the relevant expertise of the individuals responsible. The SEC has specifically flagged in comment letters that companies should not limit this description to the CISO alone. Other members of the information security organization with material responsibilities should also have their qualifications described.

This is an area of active comment letter activity. If your current 10-K describes only the CISO's background, expect a comment asking for more detail about the broader team.

The SolarWinds Case: What It Taught the Industry

No analysis of the SEC's cybersecurity disclosure rules is complete without examining the SolarWinds enforcement action — and what its November 2025 dismissal actually means.

What the SEC alleged

In October 2023, the SEC filed suit against SolarWinds and its CISO, Timothy Brown, alleging that the defendants defrauded investors by overstating SolarWinds' cybersecurity practices and understating known risks. The case was the SEC's first cybersecurity enforcement action against a corporate executive and the first time the SEC asserted accounting control claims based on technical cybersecurity failings.

What the court decided in 2024

In July 2024, U.S. District Judge Paul Engelmayer dismissed most of the SEC's claims. The court rejected allegations tied to press releases, blog posts, and podcasts, characterizing them as non-actionable corporate puffery. It also rejected novel accounting controls claims and disclosure controls claims. What survived were the narrower claims tied to SolarWinds' public website Security Statement and whether the company's actual security practices materially diverged from what that statement described.

The 2025 dismissal and what it signals

On November 20, 2025, the SEC agreed to dismiss its remaining claims against SolarWinds with prejudice — without any settlement conditions — bringing the case to a close. The dismissal came as the new administration's SEC signaled a pivot away from nuanced disclosure deficiency cases and toward actions focused on egregious fraud with demonstrable investor harm.

What the dismissal does not mean

The SolarWinds dismissal does not mean public companies can relax their cybersecurity disclosure obligations. Several important points remain unchanged:

The cybersecurity disclosure rules adopted in 2023 are still fully in effect. Companies must still file Item 1.05 Form 8-Ks and Item 106 annual disclosures.

Other regulators — state attorneys general, sector-specific regulators, and international authorities — are not bound by the SEC's enforcement priorities and are independently active.

Private securities litigation is not constrained by SEC enforcement choices. Plaintiffs' firms mine public cybersecurity disclosures for inconsistencies with internal communications, and class actions following major incidents remain common.

The SEC's 2026 examination priorities explicitly list cybersecurity as a top focus area, with emphasis on governance, vendor oversight, access controls, and incident response programs.

The most durable lesson of SolarWinds is this: align your public statements with verified technical reality. The surviving claims were tied to divergence between what the Security Statement described and what the company's internal records showed. That divergence risk does not disappear because the SEC declined to pursue it in one specific case.

What the SEC Is Actually Focusing On in 2026

Based on the SEC's Division of Examinations 2026 priorities, comment letter patterns, and enforcement signals, the following areas are drawing the most scrutiny:

Cybersecurity governance documentation

The SEC expects sophisticated boards and executive teams to demonstrate not just the existence of cybersecurity programs, but their specificity, execution quality, and alignment with risk standards. This means probing actual vulnerability management processes, identity and access controls, incident response readiness, and third-party risk management — and whether responsible individuals can document how those programs operate.

AI-washing in cybersecurity disclosures

A rapidly emerging enforcement risk sits at the intersection of AI and cybersecurity disclosure. Companies that describe AI-powered security capabilities in their SEC filings, marketing materials, or investor communications need to ensure those descriptions are accurate and substantiated. The SEC has made clear that the same principles-based rules that require accurate cybersecurity disclosures apply equally to representations about AI capabilities. Overstating the autonomy, effectiveness, or maturity of AI-powered security tools carries real enforcement risk under existing securities laws.

Consistency across all public channels

The SEC and private litigants look at the full picture of a company's public statements about cybersecurity — not just the Form 8-K and Form 10-K. Website security statements, customer-facing documentation, investor presentations, earnings call remarks, and marketing materials can all be examined for consistency with internal records and formal disclosures. The SolarWinds litigation made clear that a public security statement on a company website is part of the total mix of information available to investors and is subject to materiality analysis.

Third-party and vendor risk disclosures

Annual reports that describe cybersecurity risk management processes must address how the company manages vendor and third-party risk. Given the volume of supply-chain incidents — from the 2020 SolarWinds breach to more recent attacks — how companies assess, monitor, and respond to third-party cyber risks is a key area of investor and regulatory interest.

CISO-Specific Liability: The New Personal Risk Landscape

One of the most significant and unsettling developments in the SEC's cybersecurity enforcement push was the direct targeting of a CISO as an individual defendant. While the claims against Timothy Brown were ultimately dismissed along with the case, the episode created lasting changes in how CISOs think about their own exposure.

What CISOs need to understand

Personal liability risk for CISOs remains real, even after SolarWinds. The threshold for SEC individual enforcement appears to have moved toward more egregious misrepresentations, but other pathways remain.

Directors and officers liability insurance coverage for CISOs is now a standard topic in executive employment negotiations and should be explicitly reviewed. CISOs should understand what their company's D&O policy covers in a cybersecurity enforcement context.

Internal communications carry significant weight. The SolarWinds case showed that internal emails and assessments in which the CISO acknowledged security gaps were used directly against the company's public statements. Written communications should reflect accurate technical realities — not aspirational ones.

CISOs have legitimate reason to insist on proper escalation processes, documentation of resource constraints that affect security programs, and clear records showing that risks were communicated upward. The goal is not to create a paper trail of excuses, but to ensure that the governance record accurately reflects how risk was identified, escalated, and addressed.

Practical steps for CISOs navigating disclosure obligations

Be part of the materiality determination process. When a significant incident occurs, CISOs should be at the table when the company's legal, finance, and communications teams make the materiality determination. Your technical input is essential to an accurate and defensible decision.

Align internal and external narratives. Before any public statement about cybersecurity capabilities or incident response is finalized, cross-check it against internal technical documentation. Divergence between what is said publicly and what is known internally is where enforcement actions originate.

Document the governance process. Maintain records of how security risks are escalated, what was reported to the board, and what corrective actions were taken. That documentation is your primary defense in any subsequent scrutiny.

Review public-facing security statements regularly. Security statements on company websites, in RFP responses, in customer contracts, and in marketing materials are all part of the total mix of public information. They should be reviewed at least annually against actual security practices.

Building a Compliant SEC Cybersecurity Disclosure Program

Most companies do not fail cybersecurity disclosure requirements because they lack awareness. They fail because security, legal, communications, and finance functions are operating in silos, without a shared process for identifying, assessing, and communicating cybersecurity risk to investors.

Here is how to build a disclosure program that holds up under scrutiny:

Establish a cross-functional incident response and disclosure team. Before an incident occurs, define who is involved in materiality determinations. This team should include the CISO, General Counsel, CFO or their designate, the Chief Communications Officer, and at least one member of senior management with board reporting responsibility.

Create a documented materiality assessment framework. The framework should walk through the qualitative and quantitative factors the SEC requires to be considered. It should assign responsibility for each factor, include a standard documentation template, and define escalation thresholds for engaging outside counsel.

Establish a four-business-day response protocol. The protocol should be triggered the moment a potential material incident is identified — not when it is confirmed as material. The company needs time to investigate, assess, draft, and file. A response protocol that is only activated after a materiality determination has been made creates unnecessary deadline risk.

Audit your public cybersecurity statements annually. Map every public statement about cybersecurity capabilities, practices, and governance against your actual current state. Where gaps exist, either update the statement or close the gap. Document the review.

Brief the board on cybersecurity at least quarterly. The Form 10-K must describe board oversight. That description needs to reflect real engagement — not a single annual briefing. Quarterly briefings with documented agendas and minutes are the standard that sophisticated companies are setting.

Ensure your Form 10-K descriptions are specific to your company. Generic disclosures that could be copied from any public company in any industry attract comment letters. Describe your actual risk management processes, your actual governance structure, and the actual qualifications of the actual people responsible for cybersecurity in your organization.

Integrate cybersecurity disclosure into your continuous compliance monitoring program. Point-in-time processes are insufficient for an obligation that requires four-business-day turnaround on incident disclosure. Continuous monitoring that surfaces potentially material incidents in real time — and automatically routes them through the disclosure assessment process — is the operational model that leading companies are building.

How This Intersects With SOC 2, ISO 27001, and AI Governance

Many public technology companies are already investing in SOC 2 Type II certifications, ISO 27001 implementations, and AI governance frameworks. Those investments create direct value in an SEC disclosure context.

SOC 2 audit evidence — control documentation, risk assessments, penetration test results, vendor management processes — directly supports the risk management process descriptions required under Form 10-K Item 106.

ISO 27001 certification provides an externally audited, internationally recognized framework that demonstrates the systematic approach to risk management the SEC expects to see. Companies with active ISO 27001 certifications can reference the framework in their annual disclosures as substantive evidence of their security governance posture.

AI governance documentation — particularly for companies using AI in their security programs or marketing AI-powered security capabilities — should be maintained with the same rigor as other compliance documentation. As the SEC intensifies focus on AI-washing, companies need to be able to substantiate every claim they make about the role of AI in their security and compliance programs.

A unified compliance platform that maps controls across SOC 2, ISO 27001, and SEC disclosure obligations gives companies a single source of truth for the evidence they need to satisfy all three frameworks simultaneously — without the manual overhead of running parallel programs.

Frequently Asked Questions

Does the four-day clock start when the incident is discovered or when materiality is determined? It starts when the company determines the incident is material. The company must make that determination without unreasonable delay after discovering a significant incident. Waiting weeks to assess materiality when the facts are available could itself be viewed as unreasonable.

What if we don't know the full impact of an incident within four business days? File with what you know. Include a statement that the full impact has not yet been determined and commit to amending the filing within four business days of when that information becomes available. Do not wait for a complete picture before filing.

Does the SEC rule apply to foreign private issuers? Yes, with modifications. Foreign private issuers have parallel disclosure obligations on Form 6-K for incident disclosure and Form 20-F for annual governance disclosures.

Does the rule apply to smaller reporting companies? Yes. All reporting companies must comply with Item 1.05 Form 8-K incident disclosure requirements. The annual governance disclosures under Item 106 also apply to all registrants.

Can a company disclose a cyber incident voluntarily without filing under Item 1.05? Yes. If the incident has not been determined to be material, or has been determined to be immaterial, the SEC encourages voluntary disclosure under Form 8-K Item 8.01 rather than Item 1.05 to avoid investor confusion about materiality.

What happens if a company files an Item 1.05 Form 8-K and later determines the incident was not material? The SEC's guidance does not explicitly address this situation, but consistent with the principles underlying the rule, companies should consider whether a corrective filing is warranted to avoid leaving misleading information in the public record.

The Bottom Line for CISOs and Compliance Teams

The SEC's cybersecurity disclosure rules have permanently changed the relationship between cybersecurity operations and investor-facing communications. The materiality determination process is now a core governance function — not a legal afterthought. The annual Form 10-K cybersecurity disclosure is now a living document that must reflect actual programs, actual governance, and actual expertise.

The SolarWinds dismissal narrowed one enforcement path. It did not eliminate enforcement risk, and it did not change the requirements. Private litigation, state regulators, and international authorities remain active, and the SEC's 2026 examination priorities confirm that cybersecurity governance is a sustained focus.

The companies that navigate this environment well are the ones that treat cybersecurity disclosure as a continuous compliance function — not a quarterly reporting exercise. They maintain real-time visibility into their security posture, document their governance processes rigorously, and align every public statement with verified internal reality.

DSALTA's AI-powered compliance platform helps public companies and their security teams build the continuous evidence collection, risk documentation, and governance workflows that SEC cybersecurity disclosure requires. From mapping SOC 2 controls to annual report requirements to maintaining audit-ready documentation for Form 10-K Item 106 disclosures, DSALTA gives compliance teams the infrastructure to stay current without the spreadsheet overhead.

Book a demo to see how DSALTA supports SEC cybersecurity disclosure compliance alongside your existing framework obligations.