If you're a public company with operational technology assets, the SEC's new cybersecurity disclosure rules require you to disclose material cybersecurity incidents within four business days. For many industrial operators, this is new territory. The old disclosure framework was vague about cybersecurity. The new rules are explicit: material incidents must be disclosed on Form 8-K, and the company must provide detailed information about the incident and its impact. For OT companies, this changes the calculus of incident response and escalation.
What constitutes "material" is the key question, and it's decided on a case-by-case basis. SEC guidance doesn't define a specific threshold. However, the rule makes clear that cybersecurity incidents affecting critical systems, resulting in significant downtime, or exposing sensitive information are presumptively material. If you operate industrial facilities and experience a cyberattack that disrupts production, you're likely dealing with a material incident that requires SEC disclosure.
SEC Disclosure Rules in Practice
The four-business-day window starts when you have a reasonable basis to believe an incident is material. For many industrial companies, this creates urgency and complexity. You may not have completed your incident investigation in four days. You may not know the full extent of the attack or the duration of the impact. The SEC rule expects you to disclose what you know at that time, with appropriate caveats for unknowns and with updates as your investigation progresses.
The disclosure must include: the nature of the incident, the date and timeframe of the incident, its material impact on your systems or operations, your response actions, and any material impact on your business. You must also disclose your cybersecurity governance—whether you have a board-level cybersecurity committee, what qualifications your cybersecurity experts have, and how the board oversees cybersecurity risk. This governance disclosure is new and requires board engagement with cybersecurity at a detail level many boards haven't previously operated at.
Implications for Industrial Operators
- Incident response must account for disclosure timing: Your incident response playbook should include a decision point at discovery: is this incident likely material? If yes, escalate to the CFO, General Counsel, and CEO immediately. Begin gathering information needed for SEC disclosure in parallel with incident investigation.
- Board engagement is mandatory: Your audit committee or board cybersecurity committee must be notified of potential material incidents. Prepare board materials within hours of discovery, not days. Your board must understand the incident, its potential business impact, and your response strategy.
- Counsel and IR involvement early: Bring your legal counsel and investor relations team into incident response early. Disclosure decisions involve legal risk, financial risk, and reputational risk. SEC disclosure is a legal obligation, but it's also a communication to investors and the market. Get professional counsel on what to disclose and when.
- Governance documentation is evidence: SEC inspectors will ask for evidence of your cybersecurity program, your board's oversight, and your risk management practices. Maintain documentation of board meetings, cybersecurity reports to the board, audits and assessments, and incident response planning. If you cannot demonstrate governance, you're vulnerable to enforcement action.
The Broader Implication: Security Must Be Material to Boards
SEC disclosure rules are forcing public companies to elevate cybersecurity to board-level governance. This is healthy. It means security leaders can make the business case for investments in visibility, response capability, and resilience. It also means the board is accountable for cybersecurity failures. This accountability should drive more serious investment and more rigorous risk management.
We help industrial operators understand SEC disclosure obligations, build incident response processes that account for disclosure requirements, and prepare governance frameworks that satisfy SEC expectations. Contact us to assess SEC disclosure readiness for your company.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.