SEC and Cybersecurity: The New Disclosure Obligations that have Transformed the Role of the CISO
The SEC's rules on the disclosure of cyber incidents, effective from December 2023, require reporting of material incidents within four business days via Form 8-K. In May 2025, American banking associations petitioned the SEC to revoke the rule. The practical outcome: the CISO has become a direct interlocutor for the board and legal department in materiality decisions.
On 26 July 2023, the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure by public companies. The rules came into effect for the majority of registrants in mid-December 2023. The impact on the role of the CISO was immediate and structural.
The central obligation: any cyber incident the company determines to be material must be disclosed via Item 1.05 of Form 8-K, typically within four business days of the materiality determination. The disclosure must describe the nature, scope, and timing of the incident, as well as its actual or reasonably likely impact.
What Changed in Practice
Prior to the rules, a security incident was primarily an operational and IT matter. Following the rules, it became simultaneously a legal, regulatory, and investor relations issue. The CISO, who historically reported to the CIO or COO, now interfaces directly with the Board of Directors, the CEO, and the Legal Counsel for each relevant incident.
The defining question of the process is: is this incident material? Materiality, in the context of the SEC, means whether the incident could reasonably influence an investor's decision to buy or sell shares. This is a legal assessment, not a technical one. And it needs to be made within hours, not days.
The Annual Governance Disclosure
In addition to incident reporting, the rules added Item 106 to Regulation S-K, requiring annual disclosure on: processes for evaluating, identifying, and managing cybersecurity risks; Board oversight of those risks; and cybersecurity expertise among Board members or advisors used.
This latter requirement has had the most impact on job markets: in 2024 and 2025, there was a significant increase in the hiring of independent directors with security backgrounds for the boards of listed companies.
The Resistance from the Financial Sector
On 22 May 2025, a group of American banking associations, including the American Bankers Association and the Bank Policy Institute, petitioned the SEC to revoke the four-day incident reporting rule. The central argument: rapid public disclosure of ongoing incidents may benefit attackers still within the company's systems, while also creating disproportionate market risks before the full facts are known.
The SEC has yet to formally respond to the petition. For listed companies, the rule remains in effect while the regulatory debate continues.
The Implication for CISOs
The professional in the position of CISO at a listed company in 2026 needs competencies that include executive communication, understanding of legal materiality, and the ability to translate technical events into risk language for the Board, not just technical security skills. The executive search market is reporting a growing demand for CISOs with prior experience in regulatory compliance or investor relations.