INSIGHT

SEC Cybersecurity Disclosure Requirements for Financial Institutions 

Josh Schmidt • April 20, 2026

Services: Cybersecurity Services Industries: Financial Services

---

If you run or oversee a publicly traded financial institution, the SEC’s cybersecurity disclosure rules deserve your full attention. Since taking effect in late 2023, these rules have fundamentally changed how public companies must communicate cyber risk to investors and regulators.  

For financial services firms already navigating one of the most demanding compliance environments in any industry, understanding what these rules require is critical to staying ahead of regulatory scrutiny and reputational risk. 

What The SEC Cybersecurity Disclosure Rules Require 

The SEC adopted its final cybersecurity disclosure rules in July 2023, with most provisions taking effect by December 2023. The rules apply to all public companies subject to the Securities Exchange Act of 1934, including banks, broker-dealers, investment advisers, and other financial services registrants. They create two distinct disclosure obligations: 

• One for material cybersecurity incidents 
• One for ongoing risk management, strategy, and governance practices 

Understanding both is essential because the consequences of getting either wrong can be significant. 

Incident Disclosure: The Four-Day Rule 

When a material cybersecurity incident occurs, registrants must disclose it on Form 8-K Item 1.05 within four business days of determining the incident is material. The disclosure must describe the nature, scope, and timing of the incident, as well as its actual or reasonably likely material impact on the company’s financial condition and results of operations.  

Importantly, the clock starts when you determine materiality, not when the incident occurs — a distinction that puts real pressure on your internal escalation processes to move quickly and consistently. 

Annual Disclosures: Risk Management, Strategy, And Governance 

Beyond incident reporting, Regulation S-K Item 106 requires registrants to include in their annual Form 10-K a description of how they assess, identify, and manage material cybersecurity risks. This means disclosing the board’s oversight role, identifying management positions or committees responsible for cybersecurity risk, and describing the relevant qualifications of those individuals.  

For financial institutions, this is not simply a compliance exercise. It is an opportunity to demonstrate to investors that your cybersecurity program is mature, well-governed, and aligned with your business strategy. 

What “Material” Means in the Context of Cyber Risk 

One of the more challenging aspects of these rules is the concept of materiality. The SEC defines a material incident as one that a reasonable investor would consider important in making an investment or voting decision. Applying that standard requires weighing both quantitative and qualitative factors, including the scope of data compromised, disruption to business operations, reputational harm, and potential legal liability. 

This determination should not fall on one person’s shoulders. Materiality decisions work best when they involve the CISO, CFO, General Counsel, CIO, and relevant business leaders working together with a clear, documented process. Building that cross-functional structure before an incident occurs is time well spent. 

How These Rules Intersect with Other Financial Services Regulations 

The SEC’s cybersecurity disclosure rules do not exist in isolation for financial institutions. They layer on top of an already complex web of requirements, including the FFIEC Cybersecurity Assessment Tool, GLBA Safeguards Rule, and NCUA cybersecurity requirements for credit unions.  

Public financial services firms need to think carefully about how their cybersecurity programs satisfy all these frameworks simultaneously and how their public disclosures align with what they are reporting to other regulators. A well-designed cybersecurity risk management program can serve all these needs at once — the key is building one that genuinely reflects how your organization identifies, assesses, and responds to threats. 

3 Practical Steps to Strengthen Your SEC Compliance Posture 

Meeting the letter of the SEC’s cybersecurity disclosure rules is achievable. Meeting their spirit in a way that builds investor trust and holds up under regulatory scrutiny takes more deliberate effort. Here are three areas where financial institutions most often need to strengthen their approach. 

1. Incident Response and Escalation Processes 

Your internal escalation process needs to be fast, well-documented, and tested regularly. If a material incident occurs, you have very little time to gather facts, assess materiality, involve the right stakeholders, and file an accurate Form 8-K. Tabletop exercises and simulated incident response drills help your team move through that process with confidence when it counts. 

2. Board-Level Cybersecurity Oversight 

The SEC’s annual disclosure requirements put a spotlight on board governance. Directors overseeing cybersecurity risk need enough working knowledge of the threat landscape to ask the right questions and provide meaningful oversight. Cybersecurity should be a regular, substantive board agenda item, not an occasional update from IT. 

3. Cybersecurity Risk Assessment as a Foundation 

A comprehensive cybersecurity risk assessment is one of the most effective tools for building a defensible disclosure program. It gives you a clear, documented view of your threat landscape, control gaps, and remediation roadmap — exactly the kind of information the SEC expects you to be able to articulate. Without that foundation, your disclosures risk being vague or inconsistent, which can attract unwanted regulatory attention. 

How BPM Can Help Your Financial Institution Navigate SEC Cybersecurity Requirements 

At BPM, we work with the financial services industry to build cybersecurity programs that are both operationally effective and disclosure-ready. Our professionals conduct comprehensive cybersecurity risk assessments, help organizations develop and test incident response plans, and support board governance initiatives aligned with the SEC’s disclosure framework. For financial services firms, cybersecurity compliance is not a one-time project. It is an ongoing discipline, and we are here to be a committed long-term partner in that work. 

To learn more about how BPM supports financial institutions with cybersecurity compliance services, contact us today.