The landscape of cybersecurity compliance has shifted dramatically for public companies since the U.S. Securities and Exchange Commission (SEC) adopted its July 26, 2023 rules, which require public companies to disclose material cybersecurity incidents under Item 1.05 of Form 8-K. But in 2024, the SEC released additional guidance and clarification on the rule change, providing public companies with a better understanding of their responsibilities and how to comply.

In this article, we discuss key elements of the SEC’s cybersecurity incident disclosure rule change and how financial firms can adapt.