SEC Cyber Rule: A Primer for Practitioners by Alex Sharpe

Blog AWS Security Cloud Security

Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience.

The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on publicly traded companies. The full rule can be found here.

The SEC has three missions:

  1. Protect investors.
  2. Maintain fair, orderly, and efficient markets.
  3. Facilitate capital formation.


What does the rule say? This rule (first of three) clearly maps to the first mission while setting the stage for future rules addressing the remaining two missions.

  1. Publicly traded companies’ must disclose material information regarding their cybersecurity risk management, strategy, and governance practices yearly as part of their 10k filing.
  2. Publicly traded companies must report, via an 8k, material cybersecurity incidents within four business days of determining the incident is material. This timeline may be extended IF federal law enforcement determined the disclosure would harm national security or pending investigations.


The SEC has been issuing Cybersecurity guidance since 2011.

Why 10k and 8k? Simple, 10ks and 8ks are the well establish, long standing mechanism to report similar non cybersecurity related matters. Both 10ks and 8ks have been required since 1934. Requiring cyber to use these reporting mechanisms is simply a recognition of cyber as a business imperative.

What is material? Material is a cornerstone of SEC regulations going back to just after the Great Depression. The U.S. Supreme Court held an item is material if there is “a substantial likelihood that the … fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”[i]

Sounds fluffy? Sort of. There is case law and precedent. If you are part of a publicly traded company, you should already have a policy and a procedure to determine and report materiality. The best next step is to find it, identify the owner, and meet with them. This is your opportunity to help them understand cyber, and for you to understand the business.

Harmonization and Consistency. The proposed rule is very consistent with other rules, regulations, standards, and legislation. The main difference is reporting within four business days instead of seventy-two hours seen other place and the use of 8Ks and 10Ks as the reporting mechanism.

How does this alter incident response plans? Work with senior leadership to understand what information they need and when. Remember, ignoring a materiality decision will only get you in trouble. Spend time educating your senior leadership on cyber and collaborate with them to craft criteria and milestone for communication with senior leadership and the board. Existing policies, procedures, and Incident Response (IR) plans will need to be updated.

Reduce likelihood and impact; detect fast, recover quicker. Incidents will continue to happen. You will avoid a lot of problems and your life will be easier by detecting faster, recovering quicker, and limiting the Blast Radius. Looking at the numbers, internal teams only detect about one third of all incidents and it takes almost nine months to identify the typical incidents. The real number is much higher when we remove the incidents where the attacker makes us aware of the incident.


Who Detects a Breach?

  • 33% Internal teams and tools
  • 27% Attacker (e.g., Ransomware)
  • 40% Benign third parties and outsiders


IBM Cost of Data Breach ReportGlobally, across sectors:

  • 204 days to identify and 73 days to contain a breach.


Financial sector:

  • 177 days to identify and 56 days to contain.


What’s Next? The recently passed cyber rule applies to publicly traded companies and the SEC’s first mission of protecting investors. A second rule is inflight that applies to ALL market participants – publicly traded and privately held. That proposed rule and submitted comments can be found here. There has been some discussion of a third rule to address the SEC’s third. So far, nothing has been posted for public comment.


[i] TSC Industries v. Northway, Inc., 426 U.S. 438, 449 (1976); see Basic, Inc. v. Levinson, 485 U.S. 224 (1988) (as the Supreme Court has noted, determinations of materiality require “delicate assessments of the inferences a ‘reasonable shareholder’ would draw from a given set of facts and the significance of those inferences to him….” TSC Industries, 426 U.S. at 450); see also FASB, Amendments to Statement of Financial Accounting Concepts No. 8—Conceptual Framework for Financial Reporting—Chapter 3, Qualitative Characteristics of Useful Financial Information (Aug. 2018), available at; see also SAB No. 99.


Skyhawk Security stands out in a competitive market! The organization is proud to announce that it has been named a finalist in the 2024 Cloud Security Awards program in four categories: Cloud Security Innovator of the Year Best Use of

Cloud SecurityAIData BreachThreat Detection

The Cybertech conference of 2024 was supposed to mark the tenth year of the event that has long been considered the most significant in the local industry. The event that started as an event by Israelis, for Israelis, has long

Cloud SecurityAIData BreachThreat Detection

Did you know cloud attacks increased 75% over the last year? Or, that human error was the leading cause of cloud breaches at 55%? And 75% of businesses state that more than 40% of data stored in the cloud is

Cloud SecurityThreat Detection

US National Institute of Standards and Technology (NIST) defines “Attack surface” as: The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or

Cloud SecurityAIData BreachThreat Detection

It is a fact that the security industry suffers from a chronic shortage of skilled employees. This global shortage, which ISC2 estimates at 4 million professionals. The global workforce is estimated at 5.5 million people, meaning it nearly needs to

Cloud SecurityAIData BreachThreat Detection

Please check out this guest blog post by Alex Sharpe, a Cyber Security Expert with decades of experience. The SEC Cybersecurity Rule is designed to provide transparency so investors can make information decisions. The rule effectively imposes two requirements on

Cloud SecurityAIData BreachThreat Detection

Thanks For Reaching Out!

One of our expert will get back to you
promptly at

Fill out the form and we'll schedule your demo
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.