Interested in training for your team? Click here to learn more

SEC’s New Mandatory Cybersecurity Disclosure Rules: Maintaining Compliance and Avoiding Enforcement Risks

Enhanced Disclosures Regarding Cybersecurity Risk Management, Strategy, Governance and Incident Reporting

Recording of a 90-minute CLE video webinar with Q&A

This program is included with the Strafford CLE Pass. Click for more information.
This program is included with the Strafford All-Access Pass. Click for more information.

Conducted on Tuesday, October 24, 2023

Recorded event now available

or call 1-800-926-7926

This CLE webinar will discuss the SEC's recent adoption of rules requiring public companies to more immediately disclose cybersecurity incidents and provide annual disclosures regarding the company's cybersecurity risk management strategy and cybersecurity governance. The panel will examine the new rule's requirements and provide practical guidance for maintaining compliance and avoiding enforcement risks.


On July 26, 2023, the SEC adopted final rules that generally require public companies to disclose material cybersecurity incidents within four business days after determining the incident was material. Also, companies must now provide information regarding their cybersecurity risk management, strategy, and governance on an annual basis. The final rules are effective Sept. 5, 2023.

Since 2011, the SEC has encouraged public companies to file a Form 8-K upon the occurrence of a material cybersecurity incident. The final rules turn the guidance into a mandate for Form 8-K. Foreign private issuers (FPIs) already have an obligation to disclose material information on Form 6-K that they disclose offshore, on a stock exchange, or to their security holders, and the new rules simply add material cybersecurity incidents to the list of material information included in the form.

Under the new rules, public companies and FPIs will be required to include additional cybersecurity risk management disclosures in Forms 10-K and 20-F. As part of these disclosures, companies must describe: their processes for assessing, identifying, and managing material risks from cybersecurity threats; the board of directors' oversight of risks from cybersecurity threats; management's cybersecurity expertise and its role in assessing and managing material risks from cybersecurity threats; and whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition.

Listen as our authoritative panel provides an overview of the new rules and practical guidance for implementing policies and procedures to comply with the new requirements. The panel will also address the potential compliance and enforcement implications of the new rules.



  1. Overview of the SEC's new cybersecurity disclosure rules
  2. Cybersecurity incident disclosure requirement in Form 8-K or Form 6-K
  3. Updates on previously reported cybersecurity incidents required in amended Form 8-K or Form 20-F
  4. New cybersecurity governance disclosure requirements in annual reports on Form 10-K and Form 20-F
  5. Compliance deadlines
  6. Practical guidance and takeaways for implementing policies and procedures to address the new rules
  7. Potential implications of the public disclosure of a company's cybersecurity incidents


The panel will address these and other key issues:

  • What are the new Form 8-K filing requirements?
  • What are the new cybersecurity governance disclosure requirements for annual reports on Forms 10-K and 20-F?
  • What are the changes to Regulation S-K and how should companies disclose their processes for assessing, identifying, and managing material risks from cybersecurity threats?
  • What are the corporate governance matters relating to the board of directors' and management's oversight of cybersecurity matters?
  • What are the implications of these new rules on how companies will respond to future cyber incidents?


Desai, Shardul
Shardul Desai

Holland & Knight

Mr. Desai is a cybersecurity, data privacy, and white collar defense and government investigations attorney. He has...  |  Read More

Koesters, J.D.
J.D. Koesters

K&L Gates

Mr. Koesters is counsel in the firm’s Investigations, Enforcement, and White Collar Group. With over a decade of...  |  Read More

Access Anytime, Anywhere

Strafford will process CLE credit for one person on each recording. All formats include course handouts.

To find out which recorded format will provide the best CLE option, select your state:

CLE On-Demand Video