The SEC’s cybersecurity disclosure rules, adopted in July 2023, require public companies to disclose material cybersecurity incidents on Form 8-K within four business days and describe their cybersecurity risk management, strategy, and governance in annual 10-K filings. As the rules enter their second full year of enforcement, the regulatory landscape is shifting.
Current Requirements
Incident Disclosure (Form 8-K, Item 1.05)
Public companies must file a Form 8-K within four business days of determining that a cybersecurity incident is material. The disclosure must describe the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact on the company.
A national security exemption allows the U.S. Attorney General to delay disclosure if it would pose a substantial risk to national security or public safety.
Annual Disclosure (Form 10-K, Item 106)
Annual reports must describe processes for assessing, identifying, and managing material cybersecurity risks, whether cybersecurity risks have materially affected or are reasonably likely to affect the company, the board’s oversight of cybersecurity risk, and management’s role in assessing and managing cybersecurity risk.
Inline XBRL tagging using the Cybersecurity Disclosure Taxonomy has been required for fiscal years ending on or after December 15, 2024.
Political Developments
Administration Change
SEC Chair Paul Atkins, confirmed in April 2025, leads a Republican-majority Commission that has signaled a shift from the prior administration’s approach. In March 2025, Republican members of the House Financial Services Committee urged the SEC to withdraw several rules, including the cybersecurity rules. In May 2025, banking associations including the American Bankers Association petitioned the SEC to rescind the 8-K incident disclosure requirement.
SolarWinds Case Dismissed
On November 20, 2025, the SEC terminated its litigation against SolarWinds and its CISO relating to cybersecurity disclosures. This marked a significant retreat from the prior administration’s aggressive enforcement posture and raised questions about the SEC’s appetite for cybersecurity-related enforcement actions.
2026 Enforcement Direction
Cyber and Emerging Technologies Unit (CETU)
The SEC rebranded its Crypto Assets and Cyber Unit as the Cyber and Emerging Technologies Unit. The unit has stated it will focus on “public issuer fraudulent disclosure relating to cybersecurity,” suggesting a shift toward enforcement based on traditional fraud concepts rather than technical compliance failures.
2026 Examination Priorities
The SEC’s Division of Examinations identified cybersecurity as a “perennial examination priority” in its 2026 agenda, with reviews assessing cybersecurity governance frameworks, identity theft prevention controls, vendor oversight practices, and preparedness for AI-driven cyber threats.
Regulation S-P Amendments
Separately, amended Regulation S-P (customer data privacy) compliance deadlines are phased. Large firms with over $1.5 billion AUM had a December 3, 2025 deadline that is now in effect. Smaller firms have until June 3, 2026.
What Companies Should Do
Despite political uncertainty about the rules’ future, companies should maintain compliance. Continue to assess and report material cybersecurity incidents within four business days. Make sure 10-K cybersecurity disclosures are current and accurate. Verify Inline XBRL tagging is applied correctly. Document materiality determination processes for incidents. Maintain incident response procedures that support the four-day reporting timeline.
History demonstrates that regulatory requirements relaxed under one administration can be reimposed, and lax practices during a permissive period can result in enforcement actions years later.