The SEC’s Cyber Disclosure Rules: Compliance Strategies and Pitfalls – A Litigator’s Perspective
June 23, 2025
In an era of escalating cybersecurity threats and increasing investor scrutiny, the Securities and Exchange Commission’s (SEC) cybersecurity disclosure rules—now in full effect for all public companies as of mid-2025—continue to reshape how companies assess, respond to, and disclose cyber risk. The final rule became effective on September 5, 2023,[1] with compliance requirements phased in: larger registrants became subject to the new reporting obligations on December 18, 2023,[2] while smaller reporting companies were granted an extension until June 15, 2024.[3] Under the rule, companies must disclose material cybersecurity incidents within four business days of determining materiality (Item 1.05 of Form 8-K), and must also provide annual disclosures in Form 10-Ks describing their cybersecurity risk management, governance, and oversight practices.
While positioned as a compliance measure, the practical implications for litigators and risk managers became more urgent in the past year. These rules transform prior interpretive guidance into enforceable standards, raising the stakes for late, vague, or inconsistent disclosures. As early enforcement actions and shareholder lawsuits emerge, companies face heightened litigation exposure—particularly where their incident response, board oversight, or public filings fail to align in hindsight.
Key Compliance Strategies
1. Incident Response Playbooks Should Build a Litigation Record
Materiality under these rules tracks longstanding securities law principles: would a reasonable investor find the information important in deciding whether to buy or sell?[4] In the cyber context—where threats evolve quickly and impacts may not be fully known—this determination is now a legal and evidentiary question as much as a business judgment.
Litigators should work with incident response teams to document contemporaneous materiality assessments, including inputs, deliberations, and escalation paths. These materials may later become relevant in securities class actions or discovery in derivative suits. Cross-functional tabletop exercises should simulate not just technical or operational responses, but also litigation exposure tied to delay, ambiguity, or inconsistency.
2. Board Oversight Disclosures Must Be Bulletproof
The SEC now requires public companies to explain how their board oversees cybersecurity, including the role of any cybersecurity experts and frequency of board-level engagement.[5] These statements will become central to derivative litigation after a major breach—particularly where shareholder plaintiffs argue breach-related losses stemmed from inadequate oversight (i.e., Caremark-type claims).[6]
Companies should ensure board and committee minutes substantiate the disclosures. Vague or inflated governance language may invite shareholder suits, especially where the factual record reflects infrequent or superficial cyber engagement. Counsel should consider training boards on their cyber oversight duties in anticipation of heightened litigation scrutiny.
3. Gap Assessments Should Be Done with a Litigation Backdrop
Beyond compliance, gap assessments must now contemplate how the company’s cybersecurity posture and governance will look in hindsight. Plaintiffs’ lawyers and regulators are likely to dissect how a company measured and documented its materiality determinations, what role the board played, and how promptly the company disclosed once it had facts in hand. These assessments should include:
- Whether current documentation would hold up under discovery;
- Whether internal controls and escalation protocols support a good-faith defense;
- Whether prior cyber incidents were adequately investigated and disclosed under the new framework.
Potential Pitfalls
1. Delays in Determining Materiality Are Now Evidence
The four-day deadline begins not from the incident itself, but from the materiality determination. However, SEC guidance warns that failure to make a timely materiality determination can be a standalone violation. That means a slow or informal materiality review—especially when documented only after the fact—can create a litigation vulnerability.
For litigators, this is a red flag. A time gap between discovery and disclosure will be examined in depositions, motion practice, and expert reports. Counsel should push for real-time logging of deliberations to support the company’s narrative of diligence and good faith.[7]
2. Ambiguous or Jargon-Heavy Disclosures Undermine Defense Strategy
Disclosures must be clear, specific, and investor-focused, not written by engineers for other engineers.[8] Overly technical or generic disclosures can undercut a company’s credibility and expose it to allegations of misleading investors—especially if the company later clarifies or updates the nature or scope of the breach in a way that moves the stock price.
Litigators should be involved in reviewing 8-K and 10-K disclosures to ensure consistency with:
- Internal risk assessments;
- Public statements to customers or partners;
- Prior SEC filings.
Any divergence could fuel a securities fraud claim.
3. Cyber Due Diligence: A Growing Source of Post-Deal Litigation
In M&A, undisclosed cyber incidents or weak governance may now constitute material omissions under securities laws—not just buyer’s remorse. Acquirers should expand due diligence to include:
- Review of the target’s past incident logs and materiality determinations;
- Board materials and minutes tied to cybersecurity governance;
- Whether prior Form 8-Ks or 10-Ks would still hold up under the new rule.
Post-closing, plaintiffs may seek to retrofit disclosure theories to claim the buyer misled investors by failing to surface or disclose a material cyber vulnerability in a newly acquired business. Sellers, for their part, should prepare for more rigorous diligence scrutiny and reps and warranties tied to cyber risk.
Practical Implications
The SEC has made clear that cybersecurity risks are now on par with financial and operational risks—and expects companies to treat them accordingly. Beyond regulatory enforcement, the rules will catalyze new waves of litigation. Securities class actions, derivative suits, and breach-related tort claims will increasingly cite Item 1.05 filings, governance disclosures, and 10-K narrative statements as evidence of fraud, failure of oversight, or breach of fiduciary duty.
In this landscape, compliance is not just about timely disclosure. It’s about creating a litigation-ready record that shows the company acted reasonably, transparently, and with the oversight required by law. In a world where cyberattacks are inevitable, that record may be a company’s best defense.
This publication is distributed with the understanding that the author, publisher, and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising. The choice of a lawyer is an important decision and should not be based solely upon advertisements.
[1] SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Release No. 33‑11216, 88 Fed. Reg. 51,896 (July 26, 2023) https://www.sec.gov/files/rules/final/2023/33-11216.pdf.
[2] Id. at 107.
[3] Id.
[4] TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976); See also SEC Release No. 33‑11216, supra note 1, at 80.
[5] See SEC Release No. 33‑11216, supra note 1, at 65–70, 81–85.
[6] In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)
(establishing that shareholder derivative claims may lie where directors breach their duty of oversight by failing to implement or monitor internal controls).
[7] SEC Release No. 33‑11216, supra note 1, at 37–43, 185.
[8] SEC Release No. 33‑11216, supra note 1, at 30.