The SEC’s Cybersecurity Disclosure Rule: What CISOs Need to Know
As cyberattacks become more commonplace and CISO liability becomes an increasing concern, it is important to be mindful of the SEC cybersecurity disclosure rule (SEC Release No. 33-11216), requiring public companies to move faster and disclose more clearly when it comes to cyber risk. The rules?
Companies must disclose material cybersecurity incidents within four business days of determining materiality.
Annual filings must describe how the company governs and manages cyber risk, including board oversight and executive responsibilities.
Disclosures must be updated promptly if new details emerge, ensuring investors get a complete and accurate picture.
What This Means for Security Leaders
This rule highlights the personal accountability CISOs face in 2025 and onward. For incident reporting, CISOs need to be careful to understand the materiality of events to assure that they are reporting accurately. General governance documentation demands, among other things, accurate asset visibility, especially across IoT and OT devices where vulnerabilities are growing rapidly. A detailed asset inventory is necessary to quantify risk clearly to boards and regulators, and to ensure reporting is backed by verifiable data rather than estimates or incomplete information.
Turning Compliance Pressure into Confidence with SomosID™
At Somos, we’ve long ensured trust in communications by managing digital identifiers for more than seven billion phone numbers. With SomosID for IoT, we extend that expertise into device intelligence. By correlating device inventories, identities, SBOMs, vulnerabilities and certifications, SomosID gives CISOs transparency to the makeup and risk posture of their IoT devices. With SomosID, CISOs can proactively groom their device portfolios. They can scope and respond to incidents faster, and they can provide accurate disclosures under SEC timelines, and reduce liability exposure with trusted, verifiable data.
Regulators are making it clear: speed, accuracy, and governance clarity are now non-negotiable. With solutions like SomosID, CISOs can gain the visibility and intelligence needed to meet these expectations, reduce liability, and protect their organizations.
Want to go deeper? Join our upcoming webinar, CISO Liability in 2025: Navigating IoT Risk, Regulation and Accountability, on November 13. The SomosID team will unpack how these disclosure rules intersect with IoT/OT vulnerabilities and share practical steps for reducing liability with trusted device intelligence.