The SEC's 2023 cybersecurity rules did something subtle but consequential: they converted cybersecurity oversight from an internal management concern into a documented, externally disclosed chain of accountability that runs from the security team, through the boardroom, and into a company's public filings. For directors, that chain is now the exposure surface. Understanding how it works — and how to make it defensible — is the governance task of the moment.
This article focuses on the board-level disclosure and audit obligations the rules create. For the parallel question of individual security-executive liability after SolarWinds and Sullivan, see Guidance for CISOs After United States v. Sullivan and SEC v. SolarWinds.
What the Rules Actually Require
Two provisions do most of the work.
Form 8-K Item 1.05 requires a public company to disclose a material cybersecurity incident within four business days of determining that it is material. The clock runs from the materiality determination, not from discovery — which makes the process for reaching that determination a governance artifact in its own right.
Regulation S-K Item 106 requires annual disclosure of the company's cybersecurity risk-management strategy and governance, and — critically — a description of the board's oversight of cybersecurity risk and management's role in assessing and managing it. For the first time, a company must tell the public, on the record, how its directors supervise cyber risk.
The Attestation Chain
Item 106 is what turns oversight into a chain. To describe the board's oversight in an annual filing, the board must actually receive, review, and act on information about the security program. That information originates with the security team. Its representations inform the board's understanding; the board's understanding is memorialized in its oversight description; that description becomes a public disclosure investors rely on.
Each link references the one before it. When a disclosure later proves inaccurate — when the described posture diverges from the documented reality — the entire chain is exposed to scrutiny at once: the executives who characterized the program, the directors who attested to overseeing it, and the filing that told the market it was sound. The governance objective is to ensure that every link can be supported by a contemporaneous record.
Why Independent Audits Are Now the Linchpin
Boards cannot validate a security program by accepting management's self-assessment of management's own work. That is the structural weakness the new regime exposes, and it is why independent audits have moved from best practice to near-necessity.
The New York Department of Financial Services' amended cybersecurity regulation makes the point explicit, requiring covered entities to conduct independent audits of their cybersecurity programs — alongside more frequent risk assessments, ransomware-payment reporting, and annual training. But the logic is not confined to regulated financial entities. An independent audit does two things no internal report can: it gives the board objective, third-party validation of the program's efficacy, reducing reliance on the very team being evaluated; and it creates defensible documentation that the board exercised reasonable oversight — precisely the record a regulator would demand in an enforcement inquiry.
The independence has to be real. An assessment performed by a vendor entangled with the security team, or scoped to produce comfortable findings, delivers neither the governance insight nor the legal protection the board is paying for. Genuine independence — in reporting line, in scope, and in incentive — is what gives the audit evidentiary weight.
What Boards Should Do Now
Three steps follow directly from the chain.
First, formalize the flow of information from the security function to the board: a regular briefing cadence, written summaries, and documented board responses, so the oversight the company discloses is the oversight it actually performs.
Second, commission a genuinely independent audit of the security program, and treat its findings as governance inputs — escalated, tracked, and remediated — not as a document to file away.
Third, reconcile the company's public security representations with the program's documented reality before the next filing, not after the next incident. Where there is a gap, close it or disclose it; do not let it sit in the space between what was said and what was true.
How Law & Forensics Helps
Law & Forensics conducts independent cybersecurity audits and advises boards, general counsel, and security leaders on the governance and disclosure obligations the SEC's rules impose. We help directors build defensible oversight records, align public representations with security reality, and stand up the independent validation that both the regulation and the boardroom now require.