When the Securities and Exchange Commission adopted its cybersecurity disclosure rules, it asked public companies to do something genuinely difficult: tell investors what happened during a material cyber incident without telling adversaries, competitors, and copycats how to do it again. For general counsel and securities lawyers, the rules created a structural tension between two obligations that ordinarily point in opposite directions. One pulls toward candor and timely disclosure. The other pulls toward discretion and the protection of the very information that makes a company worth investing in.
That tension is not a drafting accident. It is the predictable consequence of layering a market-transparency regime on top of incidents whose details are, by their nature, sensitive. Navigating it well requires understanding what the rules actually demand and where the room to maneuver lies.
What the Rules Require
The disclosure framework operates on two tracks. The first is incident reporting. Under Form 8-K Item 1.05, a registrant that determines it has experienced a material cybersecurity incident must disclose that fact, generally within four business days of the materiality determination. Critically, the trigger is materiality, not discovery, and not the moment the incident began. The clock starts when the company concludes the incident is material to a reasonable investor.
The second track is periodic disclosure. Under Regulation S-K, registrants must describe their processes for assessing, identifying, and managing material cybersecurity risks, along with the role of management and the board in overseeing those risks. This is the governance and risk-management story a company tells on an annual basis, separate from any specific incident.
The incident-reporting track is where the disclosure-versus-discretion problem becomes acute. The rule asks companies to describe the material aspects of an incident's nature, scope, and timing, along with its material impact or reasonably likely material impact. It does not ask for a technical post-mortem. The SEC has been explicit that companies are not required to disclose specific or technical information about their planned response or their systems in a way that would impede the company's response or remediation. That carve-out is the hinge on which a defensible disclosure strategy turns.
Where Trade Secrets Live in an Incident
The risk to sensitive information arises because incident narratives can leak more than the incident. Describing what an attacker accessed can reveal where the crown jewels are stored. Describing how an intrusion unfolded can map network architecture, segmentation choices, and detection blind spots. Describing impact can disclose the existence and value of proprietary processes, customer data structures, or research that the company has never publicly acknowledged. A breach affecting a manufacturing process or an algorithm can, if described carelessly, hand competitors a roadmap to the trade secret itself.
The discipline, then, is to disclose the investor-relevant consequences without disclosing the protectable substance. Investors need to understand that a material asset was compromised and what that means for the business. They do not need the schematics. A company can convey scope, materiality, and likely impact at a level of generality that satisfies the rule while preserving the confidentiality that trade secret protection depends on.
Building a Defensible Disclosure Posture
The work begins long before an incident. Materiality determinations should be made through a documented process that involves legal, security, and financial leadership, so that the timing and substance of any disclosure can be defended later. Disclosure controls and procedures should specifically contemplate cyber incidents, ensuring that the people who understand the technical facts and the people who draft the 8-K are working from the same record.
When drafting, counsel should calibrate every sentence against two questions: does this tell investors something material, and does this tell an adversary or competitor something they should not have. Where the answer to the second question is yes and the first is no, the detail does not belong in the filing. The governance disclosures under Regulation S-K deserve equal care; describing risk-management processes in concrete terms builds credibility but should not become a published inventory of defensive gaps.
How Law & Forensics Helps
Law & Forensics works at the intersection where these obligations collide. Our team pairs digital forensic investigators with cyber and securities counsel to help public companies determine materiality, reconstruct the facts of an incident, and craft disclosures that are accurate and timely without surrendering trade secrets or compromising remediation. We help boards and management teams build the governance and disclosure-control processes the rules assume, so that when an incident arrives, the path from detection to defensible filing is already mapped.