SEC Cybersecurity Disclosure Rule

United States

4 domains

26 controls

SEC Cybersecurity Risk Management Strategy Governance and Incident Disclosure (Final Rule Jul 2023, Form 8-K Item 1.05 + Reg S-K Item 106).

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (4)

Governance

5 controls

Controls in the Governance domain of SEC Cybersecurity Disclosure Rule — 5 controls
Code	Title	Description
SEC-ENFORCEMENT	Enforcement Posture (SolarWinds Precedent and Beyond)	SEC enforcement actions (e.g., SolarWinds October 2023 complaint, partial dismissal July 2024) signal scrutiny of cybers...
SEC-FPI-20F	Foreign Private Issuer Annual Disclosure on Form 20-F	FPIs must include comparable cybersecurity risk management, strategy, and governance disclosure in their annual report o...
SEC-INSIDER-TRADING	Insider Trading Controls During Cyber Incidents	Registrants must apply existing insider trading policies (Rule 10b5-1) to material nonpublic cybersecurity incident info...
SEC-SK-106-E	Board Oversight of Cybersecurity Risk (Item 106(c)(1))	Describe the board of directors' oversight of risks from cybersecurity threats and identify any board committee or subco...
SEC-SK-106-F	Management's Role and Expertise (Item 106(c)(2))	Describe management's role in assessing and managing material cyber risks, including which positions or committees are r...

Material Incident Disclosure

12 controls

Controls in the Material Incident Disclosure domain of SEC Cybersecurity Disclosure Rule — 12 controls
Code	Title	Description
SEC-8K-1.05-A	Material Cybersecurity Incident 4-Business-Day Disclosure	Registrants must file Form 8-K Item 1.05 within four business days after determining that a cybersecurity incident is ma...
SEC-8K-1.05-B	Materiality Determination Without Unreasonable Delay	A materiality determination must be made without unreasonable delay after discovery of the incident. The four-business-d...
SEC-8K-1.05-C	Materiality Standard (Quantitative + Qualitative)	Materiality follows established TSC Industries/Basic v. Levinson standard: substantial likelihood a reasonable investor...
SEC-8K-1.05-D	National Security/Public Safety Delay (Attorney General Notification)	Disclosure may be delayed only if the U.S. Attorney General determines that immediate disclosure would pose a substantia...
SEC-8K-1.05-E	Amendment Obligation for Previously Undetermined Information	If information required by Item 1.05(a) is not determined or unavailable at filing, the registrant must so state and fil...
SEC-8K-1.05-F	Aggregation of Related Cybersecurity Incidents	A series of related unauthorized occurrences are treated as a single cybersecurity incident for materiality assessment,...
SEC-8K-1.05-G	Third-Party System Incident Disclosure	Incidents occurring on third-party systems used by the registrant are within scope; the registrant must conduct reasonab...
SEC-8K-1.05-H	Ransom Payment and Negotiation Disclosure Considerations	While the rule does not mandate disclosure of ransom payment specifics, registrants must avoid using ransom or law enfor...
SEC-8K-1.05-I	Item 1.05 vs Item 8.01 Voluntary Disclosure	Voluntary cybersecurity disclosures of incidents not yet determined material should be filed under Item 8.01, not Item 1...
SEC-FPI-6K	Foreign Private Issuer Reporting on Form 6-K	Foreign private issuers must furnish on Form 6-K material information regarding material cybersecurity incidents that th...
SEC-SAFE-HARBOR	Limited Safe Harbor for Item 1.05 Late Filings	Untimely filing of Item 1.05 8-K does not result in loss of Form S-3 short-form registration eligibility, and Section 10...
SEC-SCA-SUB-FILER	Smaller Reporting Company Extended Compliance Date	Smaller reporting companies were granted an additional 180 days from the non-SRC Item 1.05 compliance date before being...

Risk Management

8 controls

Controls in the Risk Management domain of SEC Cybersecurity Disclosure Rule — 8 controls
Code	Title	Description
SEC-DEFINITIONS	Definitions: Cybersecurity Incident, Threat, Information Systems	Cybersecurity incident is defined as an unauthorized occurrence, or series of related unauthorized occurrences, on or co...
SEC-DISC-CTRLS	Disclosure Controls and Procedures Update for Cyber	Rule 13a-15 disclosure controls and procedures must capture cybersecurity incident escalation so management can make tim...
SEC-REG-S-P	Regulation S-P Customer Notification Coordination	Amended Regulation S-P (May 2024) requires covered broker-dealers, investment advisers, funds, and transfer agents to ad...
SEC-REG-SCI	Reg SCI Coordination for Covered Entities	SCI entities (exchanges, clearing agencies, SBSDRs, certain ATSs) remain subject to Reg SCI Rules 1001 through 1007 in a...
SEC-SK-106-A	Risk Management Process Description (Item 106(b)(1))	Form 10-K must describe the registrant's processes, if any, for assessing, identifying, and managing material risks from...
SEC-SK-106-B	Engagement of Assessors, Consultants, Auditors, Third Parties	Disclose whether the registrant engages assessors, consultants, auditors, or other third parties in connection with its...
SEC-SK-106-C	Oversight of Third-Party Cybersecurity Risk	Describe processes to oversee and identify material risks from cybersecurity threats associated with the use of any thir...
SEC-SK-106-G	Inline XBRL Tagging Requirement	Information disclosed under Item 1.05 of Form 8-K and Item 106 of Regulation S-K must be tagged using Inline XBRL beginn...

Strategy

1 controls

Controls in the Strategy domain of SEC Cybersecurity Disclosure Rule — 1 controls
Code	Title	Description
SEC-SK-106-D	Material Effects of Prior Incidents (Item 106(b)(2))	Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, ha...

Frequently Asked Questions

What is SEC Cybersecurity Disclosure Rule?

SEC Cybersecurity Disclosure Rule is a compliance framework from United States with 4 domains and 26 controls. SEC Cybersecurity Risk Management Strategy Governance and Incident Disclosure (Final Rule Jul 2023, Form 8-K Item 1.05 + Reg S-K Item 106). It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does SEC Cybersecurity Disclosure Rule have?

SEC Cybersecurity Disclosure Rule has 26 controls organised across 4 domains. The largest domains are Material Incident Disclosure (12 controls), Risk Management (8 controls), Governance (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does SEC Cybersecurity Disclosure Rule map to?

SEC Cybersecurity Disclosure Rule does not currently have cross-framework mappings in our system. Check back as we continuously expand our mapping database.

How do I get started with SEC Cybersecurity Disclosure Rule compliance?

Start your SEC Cybersecurity Disclosure Rule compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about SEC Cybersecurity Disclosure Rule requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 26 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 769 frameworks.

Get Started Free →

Free forever — no credit card required