Navigating the SEC Cybersecurity Rules Evolution

Cybersecurity has moved from being a technical issue to a top business priority. Since 2018, the Securities and Exchange Commission (SEC) has steadily raised the bar on how companies report cyber risks. What started as guidance has become mandatory rules. By 2023, companies had to disclose material incidents within four business days. In 2025, regulators began pressing for even faster timelines, sometimes within 48 hours.

This shift shows that cybersecurity is now tied directly to financial reporting and investor trust. Compliance is not just about following the rules. It is about showing resilience and transparency when cybersecurity incidents occur.

A Quick Look Back at SEC Cyber Rules

In 2018 and 2019, the SEC encouraged companies to share cyber risks more openly. By 2022, proposed updates focused on governance and risk management. In 2023, the SEC adopted new rules requiring companies to disclose material incidents quickly and to explain their cyber risk strategies in annual reports.

By 2025, the pace accelerated. The SEC created a Cyber and Emerging Technologies Unit and began enforcing faster disclosure deadlines. The shift from voluntary guidance to mandatory disclosure reflects the SEC’s determination to protect investors by ensuring cyber risks are treated with the same seriousness as financial risks.

What a Strong Cybersecurity Program Looks Like

Compliance with SEC rules is only part of the equation. To meet both regulatory and Sarbanes-Oxley (SOX) expectations, companies need programs that go beyond compliance. Modern organizations must embed cybersecurity into their governance and risk frameworks. Four pillars define a strong program:

• Governance and Accountability: Establish clear leadership and accountability, with CISOs empowered to act and boards kept informed.
• Risk and Controls: Adopt recognized frameworks such as National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) or International Organization for Standardization (ISO 27001) to guide risk management, with a focus on Sarbanes-Oxley Internal Control over Financial Reporting (SOX/ICFR) impacts.
• Testing and Continuous Improvement: Conduct regular risk assessments, penetration testing, and vulnerability remediation.
• People and Culture: Build a culture of awareness, where employees know how to spot threats and executives take part in training.

These pillars ensure that cybersecurity is not siloed within IT but integrated into an enterprise-wide risk management strategy.

Lessons from Recent Disclosures

There are a few recent filings that highlight the real-world impact of cyber incidents:

• Enzo Biochem, Inc.
  • Disclosure Date: 4/13/2023, most recent filing 1/15/2025
  • Summary: Biochemical manufacturer disclosed multiple ransomware attacks between 2023 and 2025. Containment measures included disconnecting systems and engaging third-party specialists. The most recent filing was related to a settlement with affected customers.
  • Costs: $12M–$24M+
• Coinbase Global, Inc.
  • Disclosure Date: 5/15/2025
  • Summary: Crypto exchange received an email from a threat actor claiming access to customer account data and internal documentation related to customer service and account management systems.
  • Costs: Not yet tracked
• Data I/O Corp.
  • Disclosure Date: 8/21/2025
  • Summary: Provider of semiconductor programming systems reported a ransomware incident affecting internal IT systems.
  • Costs: $388K

These cases highlight the SEC’s emphasis on materiality. Companies must not only disclose incidents but also explain why they are material to investors. The filings also show a wide range of impacts, from multimillion‑dollar losses to incidents where costs are still unknown. This underscores the importance of strong governance, rapid response, and transparent communication.

Beyond Compliance to Strategic Advantage

Strong cybersecurity programs do more than meet SEC rules. They build investor confidence, protect shareholder value, and strengthen resilience. Transparent disclosure signals that a company is proactive and worthy of investor trust. When organizations go beyond minimum compliance, they unlock benefits that strengthen both reputation and performance.

• Investor Trust and Confidence: Transparent disclosures show leadership is proactive, reassuring shareholders and strengthening long term stability.
• Risk Management and Value Protection: Linking cybersecurity to financial reporting protects shareholder value and reduces costly surprises.
• Operational Resilience: Continuous testing and improvement helps companies recover quickly, limit financial impact, and maintain business continuity.
• Stakeholder Confidence: Strong governance and culture reassure customers, partners, and regulators, building trust across the ecosystem.
• Competitive advantage: Robust cyber programs set companies apart, turning transparency and risk management into part of the brand story.

Turning Compliance into Confidence

Cybersecurity is no longer just an IT concern; it is a core part of financial reporting and investor trust. Companies that weave strong governance, disciplined risk management, and a culture of awareness into their programs show resilience, protect value, and earn credibility in the market.

Cyber risk is a business risk. Meeting the rules is only the beginning of a strong cyber program. The real advantage comes when disclosure becomes a story of preparedness and transparency, positioning your organization as a leader rather than a follower.

If you want to move beyond compliance and build confidence, our Risk Solutions team is ready to help. We’ll work with you to strengthen your cyber program, anticipate emerging threats, and turn regulatory requirements into a platform for trust and growth.