SEC Cybersecurity Incident Disclosure Requirements

The SEC has fundamentally changed how cybersecurity incidents must be disclosed. Through its July 2023 cybersecurity disclosure rules (applicable to public companies) and ongoing enforcement actions against investment advisors, the SEC has established that cybersecurity incidents are material events requiring prompt, transparent disclosure. For public companies, the SEC's cybersecurity disclosure rule (effective December 2023) requires disclosure of material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. The rule also requires annual disclosure of cybersecurity risk management, strategy, and governance on Form 10-K. For registered investment advisors, while the same 8-K filing requirement does not apply directly, the SEC has made clear through enforcement actions that RIAs must: promptly notify affected clients when their information is compromised, report material cybersecurity incidents to the SEC, maintain accurate disclosures in Form ADV regarding cybersecurity risks, and not make misleading statements about cybersecurity practices or incidents. The common thread across all SEC-regulated entities is materiality. The SEC's framework centers on the concept of materiality — whether a reasonable investor would consider the information important in making an investment decision. Cybersecurity incidents that affect client data, firm operations, financial condition, or reputation are likely material. Understanding these disclosure obligations before an incident occurs is critical. During an active incident, you will not have time to research the rules. This guide prepares you to handle disclosure obligations quickly and correctly.

The SEC's cybersecurity disclosure rule (Item 1.05 of Form 8-K) requires public companies to disclose material cybersecurity incidents within four business days of determining materiality. While this rule applies directly to public companies, it sets the standard that the SEC applies broadly and influences expectations for all SEC-regulated entities including RIAs. What must be disclosed in the 8-K: the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the company — including financial condition and results of operations. You do not need to disclose specific technical details that would compromise your security or ongoing investigation. What is not required: disclosure of remediation status, whether the incident is ongoing, or specific technical details about vulnerabilities. The SEC explicitly noted that disclosure should not require information that could aid an attacker or compromise an ongoing law enforcement investigation. The four-business-day clock starts when the company determines the incident is material — not when the incident occurs or is first detected. This creates an important distinction: the clock starts at the materiality determination, giving you time to investigate and assess the incident before the disclosure obligation is triggered. However, you cannot unreasonably delay your materiality assessment to avoid disclosure. A narrow exception exists for national security: the Attorney General can request a delay of up to 30 days (extendable to 120 days) if disclosure would pose a substantial risk to national security or public safety. This exception is rare and requires DOJ involvement. For RIAs that are not public companies, the 8-K requirement does not apply directly. However, the SEC expects RIAs to promptly disclose material incidents to affected clients, update Form ADV if the incident changes the firm's risk profile, and cooperate with SEC inquiries about cybersecurity incidents. The four-business-day standard from the 8-K rule is increasingly seen as the benchmark for "prompt" disclosure across all SEC-regulated entities.

Materiality is the gateway to SEC disclosure obligations. An incorrect materiality determination — either failing to recognize a material incident or unreasonably delaying the assessment — can itself become an enforcement issue. The SEC uses the traditional securities law definition of materiality: information is material if there is a "substantial likelihood that a reasonable investor would consider it important" in making an investment decision, or if it would "significantly alter the total mix of information available." Applying materiality to cybersecurity incidents requires evaluating multiple factors: Financial impact — What are the direct costs (remediation, legal, notification) and indirect costs (business interruption, lost revenue, customer attrition)? The SEC has indicated that the financial impact threshold is not fixed — even relatively small dollar amounts can be material if they affect the firm's operations or client trust. Scope of data affected — How many clients were affected? What type of data was compromised? Client financial data, trading strategies, or personally identifiable information all carry different materiality weights. A breach affecting 10,000 clients is more likely material than one affecting 10, but even a small breach can be material if the data is highly sensitive. Operational impact — Did the incident disrupt your ability to serve clients? Can clients access their accounts? Are trades delayed? Are reports unavailable? Operational disruption directly affects the services clients are paying for. Reputational impact — Would disclosure of the incident affect clients' or prospects' willingness to do business with you? In the wealth management industry, trust is the primary product. A cybersecurity incident that undermines trust is inherently material. Regulatory impact — Does the incident trigger obligations under other regulations (state breach notification laws, FINRA rules, banking regulations)? Multi-regulatory incidents are more likely to be material. Litigation risk — Is the incident likely to result in lawsuits from affected clients or regulatory enforcement actions? Potential litigation is a material contingency that may require disclosure. Best practice: establish a materiality assessment framework before an incident. Document the factors you will consider, the people involved in the determination, and the timeline for assessment. This framework should be part of your incident response plan and should be reviewed by legal counsel. During an incident, you can apply the pre-established framework rather than inventing one under pressure.

The timing of cybersecurity incident disclosure involves balancing multiple competing pressures: the obligation to disclose promptly, the need to understand the incident before disclosing, the risk of disclosing inaccurate information, and the danger of appearing to delay disclosure to avoid market or client impact. Establish a disclosure timeline process: Day 1 (incident detection) — activate your incident response plan, begin investigation, notify your cybersecurity lead, legal counsel, and compliance team. Days 1-3 (initial assessment) — determine the scope and nature of the incident, identify affected systems and data, assess whether the incident may be material. Days 3-7 (materiality determination) — convene your materiality assessment team (typically general counsel, CCO, CFO, and cybersecurity lead), apply your pre-established materiality framework, and document the assessment and decision. If material (days following determination) — prepare disclosure language, file 8-K within four business days (public companies), notify affected clients promptly (RIAs), update Form ADV if necessary. Practical considerations for the disclosure process: Legal privilege — involve legal counsel from the beginning. Communications about the incident should be made under attorney-client privilege where possible, especially during the investigation phase. This protects your analysis from discovery in potential litigation. Insurance notification — notify your cyber insurance carrier within the timeframe specified in your policy (typically 24-72 hours of discovery). Late notification can jeopardize coverage. Your insurer can provide experienced counsel, forensic investigators, and public relations support. Law enforcement coordination — if the incident involves criminal activity (ransomware, data theft, fraud), consider reporting to the FBI (IC3) and your local FBI field office. Law enforcement cooperation can be a mitigating factor in SEC enforcement actions. The SEC's national security exception for delayed disclosure requires DOJ involvement. Client communication — prepare template client notifications in advance as part of your incident response plan. Have them reviewed by legal counsel. During an incident, customize the template with incident-specific facts. Be honest about what you know and do not know. Avoid minimizing the incident — the SEC has penalized firms for downplaying breaches. Employee communication — employees need to know what happened (at an appropriate level of detail), what the firm is doing about it, and how to respond to client inquiries. Designate a single point of contact for media and client questions. Cyber Defense Agent supports the disclosure process by providing continuous security posture evidence. If an incident occurs, your CDA scan history demonstrates that you had an active monitoring program in place — evidence of "reasonably designed" cybersecurity practices that can mitigate regulatory liability.

Do not wait for an incident to prepare for disclosure. Build disclosure readiness into your cybersecurity program now. Create a materiality assessment framework. Document the factors you will consider (financial impact, data scope, operational impact, reputational impact, regulatory impact, litigation risk), who will be involved in the assessment, and the timeline for completing the determination. Have legal counsel review this framework. Prepare template disclosures. Draft template language for: 8-K filings (if applicable), client notification letters, Form ADV amendments, employee communications, and media statements. Have legal counsel review these templates. During an incident, you will customize them with specific facts rather than starting from scratch. Establish your disclosure team. Identify the people who will be involved in materiality determinations and disclosure decisions: general counsel (or outside counsel), CCO, CFO/controller, cybersecurity lead, and senior management. Each person should understand their role and have backup designees. Integrate disclosure into your incident response plan. Your IRP should include disclosure checkpoints: when to initiate materiality assessment, who makes the materiality determination, what the disclosure process is, and who approves final disclosure language. Maintain continuous security evidence. The best disclosure position is demonstrating that you had a strong, active cybersecurity program before the incident. Cyber Defense Agent provides this evidence: continuous scan results, score trends, and remediation records that show proactive security management. This evidence can significantly mitigate regulatory liability and client concerns. Conduct disclosure-focused tabletop exercises. In addition to your standard incident response tabletop, run a scenario focused specifically on the disclosure decision: present a hypothetical incident with ambiguous materiality and walk through the assessment process. This practice is invaluable during a real incident. Start with a free Cyber Defense Agent scan at cyberdefenseagent.ai/check to establish your security baseline. Then build your disclosure readiness into your broader cybersecurity program.