SEC Cybersecurity Disclosure Rule (2023)

Overview

The SECCybersecurity Disclosure Rule (2023) is a U.S. securities regulationthat requires publicly traded companies to disclose materialcybersecurity incidents and provide annual updates on theircybersecurity risk management, strategy, and governance. This ruleaims to enhance transparency and ensure investors receive timely andconsistent information about cybersecurity risks and events that mayimpact a company’s financial position or operations.

Issued by theU.S. Securities and Exchange Commission (SEC), the rule applies toall domestic and foreign public companies registered with the SEC. Itfocuses on the disclosure of material cybersecurity incidents, boardoversight, risk management processes, and the company’s approach tohandling data protection and cyber threats, expanding complianceobligations in line with evolving cyber risk landscapes.

Organizationscomply by developing formal incident response policies, updatingdisclosure procedures, and integrating cybersecurity risk assessmentinto existing SEC reporting and governance structures. The rulesupports broader cybersecurity and compliance programs, oftenaligning with industry standards such as NIST or ISO frameworks tostrengthen board oversight, enhance risk management practices, anddemonstrate regulatory compliance.

Why it Matters

The SECCybersecurity Disclosure Rule enhances accountability incybersecurity risk management and transparency around materialincidents for publicly traded companies.

Key benefitsinclude:

•  Strengthen board oversight

Improveexecutive engagement by requiring the board and management to overseecybersecurity strategy and risk management processes.

•  Enhance investor transparency

Ensure investorsreceive timely, consistent disclosures about cybersecurity incidentsthat may impact financial performance or operations.

•  Support regulatory compliance

Aligninformation security practices with SEC requirements, reducing risksof enforcement actions and reputational harm.

•  Improve incident response accountability

Mandate formalincident response planning and reporting, which leads to moreeffective organizational response and recovery from cyber events.

•  Promote risk-informed governance

Integratecybersecurity risk assessments into overall governance structures,supporting more robust decision-making and resource allocation.

How it Works

The SECCybersecurity Disclosure Rule (2023) structures its requirementsaround governance, risk management, and incident disclosureobligations for publicly traded companies. The framework focuses onregulatory requirements mandating that registrants disclose theircybersecurity risk management strategies, oversight mechanisms, andany material cybersecurity incidents. It integrates governancedomains by emphasizing board and management involvement, as well asongoing processes for identifying, assessing, and addressingcybersecurity risks.

Organizationsimplement the SEC Cybersecurity Disclosure Rule by establishingrobust security practices, such as conducting risk assessments,documenting cybersecurity policies, and aligning security controlswith regulatory requirements. Compliance teams collaborate with ITand executive leadership to monitor ongoing cybersecurity posture,prepare for disclosure reporting, and develop incident response plansthat support timely and accurate regulatory filings. Regular reviewsof risk management activities and governance measures ensurecontinued adherence to the rule.

With SmartSuite,companies can operationalize the SEC Cybersecurity Disclosure Rulethrough capabilities such as maintaining a control library mapped toSEC requirements, using risk registers to document and trackcybersecurity risks, and centralizing policy governance. Evidencecollection tools support compliance tracking, while automatedworkflows assist with incident disclosure and remediation. Reportingdashboards enable ongoing monitoring, audit readiness, andcomprehensive oversight of regulatory compliance efforts.

Key Elements

•  Cybersecurity Incident Disclosure Processes

Specifiesmechanisms for identifying, assessing, and publicly reportingmaterial cybersecurity incidents in regulatory filings.

•  Risk Management and Assessment Framework

Describesstructured methods for evaluating, managing, and documentingorganizational cybersecurity risks on an ongoing basis.

•  Board Oversight and Governance

Establishesleadership responsibilities and accountability structures foroverseeing cybersecurity risk and regulatory compliance.

•  Cybersecurity Strategy Documentation

Outlines howorganizational approaches to cyber threats and data protection areformulated and communicated to stakeholders.

•  Disclosure Policies and Procedures

Defines formalprocesses for preparing, reviewing, and submitting requiredcybersecurity disclosures to the SEC.

•  Annual Review and Reporting Cycle

Providesguidelines for periodic updates on cybersecurity risk managementpractices within mandatory annual reports.

Framework Scope

The SECCybersecurity Disclosure Rule (2023) is used by domestic and foreignpublic companies registered with the U.S. Securities and ExchangeCommission. It governs the disclosure of material cybersecurityincidents, risk management strategies, and board oversight forinformation systems, supporting regulatory compliance, improvingcyber risk transparency, and enhancing investor assurance throughconsistent disclosure practices.

Framework Objectives

SECCybersecurity Disclosure Rule (2023) enhances transparency incybersecurity risk management, governance, and compliance for publiccompanies.

•  Strengthen board oversight of cybersecurity and data protectionmeasures

•  Improve transparency of material cybersecurity incidents andrisk management practices

•  Support regulatory compliance with SEC disclosure and reportingrequirements

•  Promote robust governance structures for cybersecurity risk andincident response

•  Enhance investor confidence through consistent cybersecuritydisclosures

•  Enable effective assessment of cybersecurity controls andoperational resilience The SEC Cybersecurity Disclosure Rulecomplements existing security and governance frameworks—commonlymapped to NIST Cybersecurity Framework, ISO/IEC 27001, and COSOInternal Control—to help organizations standardize riskdisclosures. Firms implement it for regulatory compliance, governancealignment, incident reporting, and to demonstrate controls andprocesses to investors, auditors, and regulators.

Common Framework Mappings

Organizationsmap these established frameworks to the SEC Cybersecurity DisclosureRule to align technical controls, governance, incident response, andfinancial-reporting controls, enabling consistent disclosures,auditability, and regulatory compliance.

Mappedframeworks include:

CIS CriticalSecurity Controls

COSO InternalControl — Integrated Framework

ISO/IEC 27001

NISTCybersecurity Framework

NIST SP 800-53

NYDFSCybersecurity Regulation (23 NYCRR 500)

Sarbanes-OxleyAct (SOX)

SOC 2