The SEC has published the Final Rule on Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure in July 2023 . As part of this new rule, all public companies must abide by the following:

1. Material Incident Disclosure Requirements

  • Timely notification of ‘material’ cybersecurity incidents on a Form 8-K within four business days of detecting an incident determining an incident is material describing the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.

  • Updated disclosure on previously disclosed cybersecurity incidents in amendments on Form 8-K.

  • Companies can request more time if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national or public safety and notifies the Commission.

2. Risk Management Strategy Disclosure Requirements

  • Description of processes, if any, for the assessment, identification, and management of material risks from cybersecurity threats, including:
  • Whether and how processes have been integrated into the overall risk management system or processes


  • Engagements with assessors, consultants, auditors, or other third parties in connection with any such processes
  • Disclosure of whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

3.Governance and Board Expertise Disclosure Requirements

  • Description of the board’s oversight of risks from cybersecurity threat and any devoted committees or subcommittees


  • Description of management’s role in assessing and managing the registrant’s material risks from cybersecurity threats which may include:
  • Management positions or committees are responsible for assessing and managing risks, and the relevant expertise of each person
  • Processes on how management is informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents
  • How information about such risks to the board of directors or a committee or subcommittee of the board of directors.

Material Cyber Incident Reporting

 Incidents are considered material if it has the potential to significantly impact the price of a security or influence an investor’s decision to buy, sell, or hold a security. “Material” cybersecurity incidents would have to be reported on a Form 8-K within four business days of detecting the incident, along with updated disclosure on previously disclosed cybersecurity incidents in amendments to the Form 8-K.

Board-Oversight & Management

 including the board’s oversight of cybersecurity risk and a description of management’s role in assessing and managing material cybersecurity risks, the relevant expertise of such management, and its role in implementing the registrant’s cybersecurity policies, procedures, and strategies.

Risk Management & Strategy

and the incorporation of cyber security risk into business strategy for investors and shareholders to assess whether companies will become more resilient or conversely, more vulnerable to cybersecurity risks in the future.

Tangible Outcomes from SEC Readiness

Investor Trust​

Timely and consistent disclosure about material cybersecurity incidents aids investors in decision-making, strengthening investor trust.

Demonstrable Resiliency

Disclosure about the impact of cybersecurity risks on business strategy enables investors to ascertain whether companies will become more resilient in the future.

Investment and voting decisions

Disclosure about the board’s oversight informs investors about the role of the board in cybersecurity risk management, which may help inform their investment and voting decisions.

How BluOcean Addresses This Challenge

BluOcean will rapidly assess your current risk management program with a comprehensive toolset to drive quality and efficiency in our delivery. We have invested in educating our team on the SEC ruling to be able to effortlessly collaborate with all your key stakeholders across the organization including the CFO, legal team, CISO, and others to build a compliant cybersecurity risk governance model. BluOcean brings a multidisciplinary team with a variety of backgrounds and skills to holistically address your cyber risk management program at all levels.  


We first work to define what materiality and material incidents look like in your organization using our SEAhorse solution to create a high value asset and material risk inventory with quantifiable impacts, along with a review of your current board and risk management strategy. This leaves us with a high level overview of your organization and where gaps may lie. A deep dive is conducted after to truly understand your current capabilities with a thorough documentation review of all your policies and procedures, incident response plans, risk assessments, organization charts, operating models, and board meeting presentations and notes. This unlocks a detailed view of your gaps to begin to understand how to address and remediate them. Those gaps are analyzed by our cybersecurity experts to create a strategic prioritized roadmap with recommendations taking into consideration your in-flight cyber initiatives.


Workshops with key internal stakeholders are then conducted surrounding this roadmap to develop a remediation plan with measurable tracking, reporting, and outcomes. BluOcean takes a quick and comprehensive approach to address your regulatory needs to aid your CISO, CFO, and legal team through navigating an evolving regulatory landscape. 

Our Framework

SEC Readiness FAQs

The final rule was published in July 2023.

For incident disclosure:


  • December 18, 2023 for all companies or 90 days after rule publication in Federal Register

  • June 15, 2024 for small reporting companies or 270 days from the effective date of the rules

For risk management and governance disclosure:

  • December 15, 2023

At minimum your company should assess and ensure that you have written attestation of all requirements outlined in the final rule.

Among other things, your readiness checklist includes documented processes for:


  • Cyber risk assessment which categorizes and prioritizes cyber risk based on an inventory of organization’s high-value assets and the potential impact of a cybersecurity incident;

  • Cybersecurity vulnerability assessment to assess threats and vulnerabilities;

  • A written incident response plan that defines how the organization will respond to and recover from a cybersecurity incident, including reporting structure and cadence;

  • A business continuity plan designed to ensure uninterrupted operations;

  • Tabletop exercises to review and test incident response and business continuity plans;

BluOcean can provide a prioritized strategic roadmap along with your assessment findings that includes an estimate of cost and time to complete each initiative.

If you’re interested in understanding where your organization stands with the final release of the SEC rule, you can contact us to learn more.

Contact Us

Interested in working together? Fill out some info, and we will be in touch shortly.

First Name(Required)
Last Name
This field is for validation purposes and should be left unchanged.

Join Thousands of weekly readers

Enter your email for instant access to our EXCLUSIVE ebook & discover the Roadmap for Moving to ROI-Led Cyber Risk Management.

This field is for validation purposes and should be left unchanged.