SEC Cybersecurity Rules: A Year of Enforcement and Investor Scrutiny

As we approach 2026, public companies face unprecedented cybersecurity disclosure obligations and heightened SEC enforcement—here's what you need to know

Executive Summary

The SEC's cybersecurity disclosure rules, which became effective in December 2023, have fundamentally transformed how public companies approach incident reporting and governance oversight. As we enter 2026, a year of enforcement actions, regulatory guidance, and the creation of a new enforcement unit reveal a clear message: cybersecurity disclosure is no longer optional, and material incidents demand timely, accurate, and comprehensive reporting.

Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents—26 under the material incident provision (Item 1.05) and the remainder under voluntary disclosure items. The SEC has settled multiple enforcement actions totaling over $8 million in penalties, launched the Cyber and Emerging Technologies Unit (CETU) in February 2025, and issued detailed guidance clarifying when and how companies must disclose cyber incidents.

For boards of directors, the stakes have never been higher. Derivative lawsuits, D&O liability claims, and enhanced fiduciary duty obligations surrounding cybersecurity oversight are creating a new risk landscape that extends far beyond traditional IT concerns.

The Rules: What Changed and When

Material Incident Disclosure (Form 8-K Item 1.05)

The core requirement mandates that public companies disclose material cybersecurity incidents within four business days of determining materiality. Companies must describe:

• The material aspects of the incident's nature, scope, and timing
• The material impact or reasonably likely material impact on the company
• Effects on financial condition and results of operations

Effective dates:

• Large accelerated filers and accelerated filers: December 18, 2023
• Smaller reporting companies: June 15, 2024

Annual Governance Disclosures (Form 10-K)

Beginning with fiscal years ending on or after December 15, 2023, companies must disclose in their annual reports:

• Processes for assessing, identifying, and managing material cybersecurity risks
• Whether cybersecurity risks have materially affected or are reasonably likely to affect the company
• Management's role in assessing and managing cybersecurity threats
• Board oversight of cybersecurity risks, including:
  • Which board committee oversees cybersecurity
  • Processes for informing the board about cybersecurity threats
  • Board members' cybersecurity expertise

The National Security Exception

Companies can request a delay from the Attorney General if immediate disclosure poses a substantial risk to national security or public safety. AT&T became the first and only known company to publicly use this provision, delaying its July 2024 disclosure by 84 days after receiving DOJ approval.

The Evolution of Enforcement: Real-World Cases

The SolarWinds Litigation: Setting Boundaries

The SEC's October 2023 enforcement action against SolarWinds Corp. and CISO Timothy Brown marked several firsts:

• First fraud claims related to cybersecurity disclosures
• First charges against a CISO in a cybersecurity case
• First attempt to expand internal accounting controls to cybersecurity systems

However, in July 2024, U.S. District Judge Paul Engelmayer dismissed most of the SEC's claims, dealing a significant blow to the agency's aggressive interpretation of internal controls. The court rejected the SEC's novel theory that cybersecurity deficiencies violated Exchange Act Section 13(b)(2)(B)'s internal accounting controls provisions.

Key ruling: The court found that using hindsight to second-guess cybersecurity statements and attempting to expand accounting controls to encompass all cybersecurity measures exceeded the SEC's authority.

By July 2025, the SEC reached a preliminary settlement with SolarWinds and Brown, with final terms pending commissioner approval. Despite the setback, the SEC has signaled it remains committed to pursuing disclosure-related fraud cases.

The SolarWinds Victims: Downstream Enforcement

Undeterred by the court's ruling in SolarWinds, the SEC in October 2024 charged four companies that were themselves victims of the SolarWinds Orion compromise:

Unisys Corporation - $4 million penalty

• Alleged misleading disclosures minimizing the scope of data accessed
• Additional charges for disclosure controls violations

Avaya Holdings Corp. - $1 million penalty

• Used generic, hypothetical language about cybersecurity risks despite knowing the warned-of risks had materialized

Check Point Software Technologies - $995,000 penalty

• Disclosed incident in "half-truths" that understated the extent of threat actor access

Mimecast Limited - $990,000 penalty

• Allegedly downplayed the significance of compromised credentials

SEC enforcement message: Companies cannot "further victimize their shareholders" by providing misleading disclosures about incidents they've encountered—even when they are victims themselves.

Intercontinental Exchange: The $10 Million Wake-Up Call

ICE, parent company of the NYSE, agreed in May 2024 to pay $10 million to settle allegations related to cybersecurity incident notification failures, demonstrating that even market infrastructure companies are not immune from enforcement.

R.R. Donnelley: Internal Controls Matter

In July 2024, business communications provider RRD settled for $2.1 million related to a 2021 cyberattack. The SEC alleged:

• Inadequate resources allocated to monitoring security alerts
• Failure to instruct third-party monitoring service on proper escalation procedures
• Deficient disclosure controls and internal controls

Critical insight: The SEC expects companies to maintain cybersecurity procedures that escalate aggregated security alerts—not just confirmed incidents—to management and disclosure personnel.

Flagstar Bank: Timing Is Everything

In December 2024, the SEC settled with Flagstar Bank for filing a misleading Form 8-K. On January 25, 2021, Flagstar disclosed a cybersecurity incident under Item 8.01, stating it had "no evidence of unauthorized access to customer information." However, the company had learned one day earlier that attackers exfiltrated sensitive customer data including names, addresses, social security numbers, and account information.

Flagstar amended its Form 8-K 15 days later—but the damage was done. The SEC found the company violated Section 13(a) of the Exchange Act and Rule 13a-11 by filing an inaccurate current report.

The Cyber and Emerging Technologies Unit (CETU): February 2025

On February 20, 2025, the SEC announced the creation of CETU, replacing the Crypto Assets and Cyber Unit. Led by Laura D'Allaird, the approximately 30-member unit represents a strategic shift in enforcement priorities under the second Trump administration.