New SEC Rules on Cybersecurity Risk Management and Disclosure

Written By Michael Fauscette

Here’s an announcement from the US Securities and Exchange Commission (SEC) that may have slipped by you this week. The SEC adopted new rules requiring public companies to disclose material cybersecurity incidents and provide annual information on their cybersecurity risk management, strategy, and governance; and includes foreign private issuers as well. The goal is to provide investors with consistent, comparable, and useful cybersecurity information in a timely manner. The rule was originally proposed in March of 2022. Under the new rules, companies must disclose on Form 8-K any cybersecurity incident they determine to be material and must include a description of the nature, scope, timing, and impact of the incident. The 8-K is generally due 4 days after the material determination, but can be delayed if disclosing poses risks to national security or public safety (as determined by the US Attorney General). This is similar to the EU rule that requires the disclosure within three days.

Regulation S-K Item 106

The new Regulation S-K Item 106 requires companies to report their processes for assessing, identifying and managing cybersecurity risks and incidents once a year. This disclosure should include the board's oversight of cyber risks and management's expertise in managing them. These disclosures will be in the 10-K or for foreign private issuers the disclosures about material cyber incidents in 6-Ks and about cyber risk management, strategy and governance in their 20-Fs. The rules take effect 30 days after Federal Register publication. 10-K and 20-F disclosures apply to fiscal years ending on or after 12/15/2023. 8-K and 6-K disclosures apply 90 days after publication (smaller reporting companies get an extra 180 days). For compliance with the structured data requirements the disclosures must be tagged in Inline XBRL one year after initial compliance under the final rules.

Michael Fauscette

High-tech leader, board member, software industry analyst, author and podcast host. He is a thought leader and published author on emerging trends in business software, AI, generative AI, agentic AI, digital transformation, and customer experience. Michael is a Thinkers360 Top Voice 2023, 2024 and 2025, and Ambassador for Agentic AI, as well as a Top Ten Thought Leader in Agentic AI, Generative AI, AI Infrastructure, AI Ethics, AI Governance, AI Orchestration, CRM, Product Management, and Design.

Michael is the Founder, CEO & Chief Analyst at Arion Research, a global AI and cloud advisory firm; advisor to G2 and 180Ops, Board Chair at LocatorX; and board member and Fractional Chief Strategy Officer at SpotLogic. Formerly Michael was the Chief Research Officer at unicorn startup G2. Prior to G2, Michael led IDC’s worldwide enterprise software application research group for almost ten years. An ex-US Naval Officer, he held executive roles with 9 software companies including Autodesk and PeopleSoft; and 6 technology startups.

Books: “Building the Digital Workforce” - Sept 2025; “The Complete Agentic AI Readiness Assessment” - Dec 2025

Follow me:

@mfauscette.bsky.social

@mfauscette@techhub.social

@ www.twitter.com/mfauscette

www.linkedin.com/mfauscette

https://arionresearch.com
Previous

Salesforce Starter - Small Business CRM
Next

Predict, Prevent, Protect: AI’s Triple 'P' in CyberSecurity