As cyberattacks grow more systemic and continue to mature, regulators have increased their focus on transparency and accountability. On October 22, 2024 the SEC announced a series of fines against four firms for making “materially misleading disclosures” regarding SolarWinds-related intrusions. The action highlights a marked shift in what the SEC expects of companies regarding cyber disclosures, targeting omissions that could leave investors in the dark about the scope and impact of security events. The SEC's stance is clear: cybersecurity risk transparency is an essential component of a public corporation’s fiduciary duty to investors. This stance signals a shift in corporate oversight, where cybersecurity risk is now as critical to disclose as financial metrics. In much the same way the Sarbanes-Oxley Act transformed financial governance, the SEC’s actions mark a pivotal step in making cybersecurity accountability a core element of corporate governance.

The evolving role of CISOs under SEC's "Cyber SOX"

As the fines demonstrate, security leaders are now tasked with bridging gaps between cyber risk and financial impact — combining an understanding of risk metrics and their financial impact that resonate at the board level. The cost of a cyberattack continues to weigh heavily on businesses; in 2024, U.S. companies paid an average of $9.36 million to recover from data breaches, only a slight decline from the previous year. Globally, the average cost was a staggering $4.88 million.

For today's CISOs, this marks a turning point. Their responsibilities have expanded beyond the traditional duties of checkbox compliance requirements and control implementation. They are now critical players in corporate governance, tasked with ensuring that cyber risks are evaluated, managed and reported transparently to stakeholders. The SEC's cybersecurity rule now demands that CISOs and boards take proactive steps to address the financial implications of cyber threats, focusing on clear and quantifiable disclosures. Beyond reporting on the technical state of cybersecurity, they must now align cyber risk metrics with operational and financial risk metrics, reinforcing cybersecurity as a foundational aspect of overall business health.

8-K filings and disclosure strategy

A notable aspect of the SEC's cybersecurity ruling is the requirement for current and timely reporting of material cybersecurity incidents via Form 8-K filings. Since the rule took effect in 2023, there has been a sharp rise in 8K filings regarding cyber events, reflecting a broader shift in expectations for security leaders. While materiality is a well-understood economic concept that can be determined using modern risk quantification methods, discrepancies remain in how it’s interpreted. Executives often tie materiality to high revenue thresholds, but investors may view smaller breaches as significant when they indicate broader deficiencies in cyber risk management.

This adjustment period has led some organizations to adopt an overly cautious approach, submitting filings without fully quantifying the material impact. While technically compliant, this strategy can obscure meaningful disclosures and pose a risk to investors seeking transparency. The SEC's stance on recent omissions brings a pointed message: failure to communicate critical cyber risk information isn't just a lapse; it is a regulatory violation that can have major financial consequences.

For CISOs, this highlights the importance of cybersecurity disclosures as integral to investor relations. Cyber risk management, when done properly, ensures clear communication between information security and boards, promoting better decision making and transparency, much like standardized reporting practices implemented under SOX.

Bridging the knowledge gap in financial and cyber risk

One of the greatest challenges for security leaders in meeting these new requirements is the need for cross-disciplinary knowledge. Many security leaders are highly skilled in technical areas but may lack experience in financial terminology and its implications for cybersecurity. Yet, understanding these financial dimensions is essential. It allows CISOs to clearly communicate risk posture to boards and investors and align cyber risks with other critical business risks in financial terms.

Strong platforms emphasizing measurable, actionable cybersecurity programs provide tools that help close this gap. By translating cyber risk into language that resonates with other departments, such as finance and investor relations, CISOs can effectively communicate the full impact of cybersecurity incidents. This approach fosters a culture of transparency, in line with SEC expectations, while enhancing the organization's ability to protect against cyber threats.

Focus on omissions: The SEC's new emphasis on transparency

The SEC's recent fines reflect a broader regulatory focus on omissions rather than misstatements. In the case of the four fined firms, the SEC's rationale was rooted in a "reasonable investor" standard — essentially, investors have a right to expect clear and accurate information regarding material cyber risks. This emphasis on omissions challenges CISOs to ensure that cybersecurity reports are complete and understandable to stakeholders who may not have a technical background.

For cybersecurity leaders, risk management and disclosure go hand-in-hand, but each has distinct requirements. Under section 106(b), organizations must “show their work” by disclosing the processes they use to assess, identify, and manage cybersecurity risks. This transparency requires CISOs to work with other executives to ensure these processes are well-documented, consistent, and clearly communicated to investors.

In contrast, omissions in incident disclosures — addressed under Section 105 — can lead to significant consequences including fines and reputational damage. CISOs must balance these dual responsibilities by developing strategies that prioritize transparency in both ongoing risk management processes and incident-specific disclosures.

The irony of the fines: When transparency would have softened the blow

The recent SEC fines spotlight an ironic truth: had these companies quantified their cyber risks in financial terms, their disclosures may have seemed less alarming than the narrative implied by technical terms alone. By avoiding financial metrics, the companies presented cybersecurity events in vague, often unsettling terms, leaving investors to interpret risks without material context. Reporting a “ransomware attack” or “breach” without quantifiable impact can appear far more daunting than the financial implications might suggest.

This irony reveals the need for security leaders to integrate financial clarity into their cyber resilience efforts, making cyber disclosures a seamless part of corporate governance. The SEC’s rule is, in many ways, a call for CISOs and boards to present cybersecurity not as an isolated technical function but as a quantifiable, manageable element of operational and financial stability.

A new era of corporate governance and cybersecurity accountability

As SOX reshaped corporate governance around financial transparency, the SEC's cybersecurity ruling has the same effect on cyber risk. It encourages CISOs to adopt a proactive and transparent approach to managing and disclosing cyber risks. By embedding cybersecurity into the core of corporate governance, companies can ensure resilience in the face of growing cyber threats, ultimately building greater trust among investors.

For CISOs, cybersecurity must be treated as a critical element of business continuity and investor confidence. As SOX set the stage for financial accountability, the SEC's cybersecurity rule establishes a new standard for cybersecurity accountability that holds security leaders and boards to a higher level of transparency and integrity in the digital age.

By aligning cyber and business risks, CISOs can deliver the insights necessary to drive informed decisions and ensure compliance with SEC standards. With end-to-end tools, organizations can establish a cybersecurity culture that meets these evolving demands, delivering transparency, resilience and measurable business value.