With the July 2023 adoption by the U.S. Securities and Exchange Commission (SEC) of enhanced disclosures of cybersecurity incidents and risk management, we reviewed the current reporting practices of financial sector companies to see where things stand and to help provide guidance to companies.

The new rule, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure has five areas of disclosure focus:

• Incident Disclosure
• Cybersecurity Risk Management Process and Procedures
• Material Impacts of Cybersecurity Incidents and Risk
• Board Cybersecurity Oversight Role
• Management Cybersecurity Role and Expertise.

The 11 financial sector companies that reported a cybersecurity incident during the study period indicated that the massive May 2023 MOVEit breach was the triggering event for their 8-K filings.