SEC Cybersecurity Disclosure Rules: What CISOs Must Know in 2026
Material incident reporting timelines, annual cybersecurity disclosures, and the CISO's role in SEC compliance — including personal liability considerations for public company security leaders.
The Securities and Exchange Commission’s cybersecurity disclosure rules, which became effective in late 2023, have now been in operation long enough to generate enforcement precedent, legal challenges, and hard-learned lessons from organizations that have navigated material incident disclosures under the new regime. For CISOs at public companies — or companies considering public offerings — understanding these rules is no longer optional background knowledge.
The rules create two distinct disclosure obligations: a rapid-reporting obligation when material cybersecurity incidents occur, and an annual disclosure requirement covering the company’s cybersecurity risk management program, strategy, and governance. Both carry CISO-specific implications that go beyond the traditional boundaries of the security function.
The Material Incident Reporting Obligation
Under Item 1.05 of Form 8-K, public companies must disclose cybersecurity incidents that the company determines to be “material” within four business days of making that determination. The key phrase is “of making that determination” — not within four business days of the incident occurring.
This distinction matters enormously in practice. The SEC’s framing places the duty on the company to make timely materiality determinations. Organizations that delay materiality assessment — whether due to incomplete forensic information, legal strategy, or organizational dysfunction — face the risk that the SEC will view the delay itself as a disclosure failure.
Materiality in the securities law context means information that a reasonable investor would consider important to an investment decision. The SEC has explicitly declined to provide a bright-line definition, which creates both flexibility and uncertainty. Incident characteristics that weigh toward materiality include: significant financial impact, operational disruption affecting core business functions, unauthorized access to large volumes of sensitive customer data, reputational damage likely to affect market perception, and incidents affecting critical systems that underpin revenue-generating operations.
The 8-K disclosure must describe: the material aspects of the nature, scope, and timing of the incident; and the material impact or reasonably likely material impact on the company. Notably, the SEC does not require disclosure of technical details that would themselves create security risks, and the rule contemplates that information may be provided before the investigation is complete.
Materiality Determination: The Process That Will Be Scrutinized
Following the SolarWinds enforcement action, in which the SEC pursued civil fraud charges against the company’s CISO, the materiality determination process has become a focus of legal and compliance attention at public companies. The enforcement theory alleged that the CISO knew of security deficiencies that were not adequately disclosed to investors.
Whether or not individual enforcement actions succeed on the merits, the message for CISOs is clear: the documentation of your materiality determination process will be examined if the SEC investigates a disclosure failure. Organizations that can demonstrate a structured, documented process — with legal, finance, and executive participation — are in a materially better position than those that cannot.
A defensible materiality determination process includes: defined escalation triggers that ensure incidents above a threshold reach legal and executive review promptly; a cross-functional materiality committee with documented authority and defined meeting protocols; a structured assessment framework that evaluates financial impact, operational impact, reputational impact, and regulatory implications; documented rationale for each determination (material or non-material); and records retention sufficient to reconstruct the decision process.
The CISO’s role in this process is to provide accurate, complete technical information to the decision-makers — not to make the materiality determination unilaterally. Materiality is a legal and business judgment that requires input from legal counsel, the CFO, and senior business leadership. CISOs who either over-escalate or under-escalate incidents create operational problems; CISOs who provide incomplete or misleading information to the materiality committee face personal liability exposure.
Annual Disclosures: Risk Management, Strategy, and Governance
The annual disclosure requirement (Item 106 of Regulation S-K) asks companies to describe their processes for identifying, assessing, and managing material risks from cybersecurity threats, whether those processes are integrated with overall enterprise risk management, whether and how the company engages third parties in assessing cybersecurity risk, and whether cybersecurity risks have materially affected or are reasonably likely to materially affect the company.
The governance section specifically requires disclosure of board-level cybersecurity oversight: which board committee oversees cybersecurity risk, how often the board or committee is informed of cybersecurity risks, and the expertise (if any) of board members responsible for cybersecurity oversight.
On management’s role, the disclosure must describe management’s role in assessing and managing cybersecurity risk — which typically means describing the CISO’s function, reporting line, and processes. Some companies have disclosed specific CISO qualifications and experience as part of this section.
The practical effect of these disclosure requirements is to create a public record of your security program’s design and governance that will be compared against your actual security posture in the event of an incident. Organizations that disclose robust risk management programs and then experience incidents that their program should have caught face enhanced investor litigation risk.
The CISO Personal Liability Question
The SolarWinds case was resolved without establishing clear liability precedent for CISOs, but it accelerated a shift in how general counsels and boards think about CISO risk. Several developments have followed:
D&O insurance coverage for CISOs. Directors and officers insurance policies traditionally covered board members and corporate officers. Many CISOs do not hold officer titles and are therefore not automatically covered. Public company CISOs should verify their coverage and, where necessary, negotiate inclusion. Some companies are now providing supplemental coverage specifically for the CISO role.
Employment agreements. CISO employment agreements are increasingly including indemnification provisions, expense advancement for legal defense, and retention of independent counsel rights in regulatory proceedings. These provisions are not unusual for C-suite officers and are worth negotiating.
Separation of reporting and certification. Some legal advisors are recommending that CISOs not be listed as certifying officers on securities filings, and that the CISO’s role in the disclosure process be that of information provider rather than certifier. The appropriate structure depends on the company’s specific facts and legal counsel’s guidance.
Information accuracy obligations. Regardless of formal certification, CISOs who knowingly provide false or misleading information that makes its way into securities filings face potential liability under securities fraud statutes. The obligation is to provide accurate, complete information to the disclosure process — not to certify the disclosure itself.
Preparing for SEC Examination or Investigation
The SEC’s Division of Enforcement has demonstrated sustained interest in cybersecurity disclosures. Organizations that experience significant incidents should assume the possibility of an SEC inquiry and structure their response accordingly.
Preserve all records related to the incident, the materiality determination process, and internal communications. Engage securities counsel early — before the SEC makes contact, if possible. Brief the board and audit committee on the incident and disclosure decisions. Coordinate the disclosure narrative across SEC filings, press releases, and other public communications to avoid inconsistency that could later be characterized as misleading.
CISOs who have built relationships with their general counsel and CFO — and who have documented their materiality assessment process before incidents occur — are in a fundamentally different position when an incident happens than those who have not. The investment in governance infrastructure is also, in the public company context, an investment in personal risk management.