With the increased reliance in the use of artificial intelligence to accelerate machine dominance in day-to-day tasks, there has been a continuing increase in cyber threats and vulnerabilities that torment the digital environment we operate in. And the topic of concern is the cyber security breaches are no longer limited to use of traditional malware attacks but are innovative and unpredictable.
Every company should prioritize responsible AI and address cybersecurity risks to control their impact. Cyber breaches must be seen as more than IT problems—they threaten systems, privacy, and information security.
Quick mention: Gartner projects that global IT expenditure will increase by 9.8% in 2025, reaching US $5.61 trillion. Additionally, more than 80% of CIOs are expected to expand their budgets to address cybersecurity concerns arising from advancements in artificial intelligence.
In today’s paper, the focus is on the Securities and Exchange Commission (SEC)’s cybersecurity disclosure rules for public companies, 2025, primarily intended to enable a sooner reporting of cyber security breaches and continuing disclosures on managing risks and serious governance.
In February 2025, the SEC established the Cyber and Emerging Technologies Unit (CETU) to deal with cyber security misconduct and enforcing penalties for inadequate disclosures in this regard. The SEC embraced the 2023 rules, fully enforcing it for all public companies in 2025.
Let us have a sneak peek into the 2025 SEC rule mandates:
- Prompt reporting on cybersecurity incidents on Form 8-K within four business days once determining it to be a material breach, with only exception being, if the U.S. Attorney General “determines immediate disclosure would pose a substantial risk to national security or public safety.”
- Annual risk disclosures by companies in Form 10-K detailing
- their processes for managing cybersecurity risks,
- the management’s role in evaluating and curtailing material risks and
- board of directors’ oversight of cybersecurity risks
- Inline XBRL tagging, so all disclosures are per the Inline eXtensible Business Reporting Language (XBRL), making the content machine readable and easier to analyze.
The SEC rules, fully implemented and operational in 2025 have an extensive and righteous impact and enable a robust and timebound governance framework for reporting cyber incidents and continuing steps for managing risks.
These rules affect regulated industries, address current privacy laws, and encourage companies to adopt new AI technologies. Additionally, the requirements for reporting cyber security incidents are clearly outlines in the rules and apply to incidents that may be regarded as ‘material’ and potentially impact a company’s reputation. These rules require several industries to adjust their strategies to address foreseeable cyber risks.
A quick preview into the potential impact due to the 2025 SEC rules across various industries:
Financial services: subjected to increased scrutiny by regulators to disclose any cyber security material breaches and be more transparent about the approach to mitigate cybersecurity risks to investors, leading to enhanced governance. Banks and insurers are thereby increasing the board-level oversight as a result.
Healthcare and life sciences: continuous rapid reporting timelines for security incidents in addition to adhering to compliance pressure due to HIPAA overlap, so dual compliance concerns. This is a vulnerable industry due to the amount of personal data collected and managed including patient data and hence the severity to maintain elevated levels of transparency.
Retail and consumer goods: Emphasis is placed on supply chain vulnerabilities and point-of-sale breaches. Nonetheless, there remains an emerging risk of cybersecurity incidents, and comprehensive disclosures are necessary to outline third-party risks as well as corresponding mitigation strategies.
Technology and SaaS: Anything digital is a risk and cloud providers and software firms are under immense pressure to maintain increased governance and proactive risk management. Continued emphasis on transparency and intense scrutiny of incidents remains the core focus.
Manufacturing: Cyber security deals with cyber and physical risks, as any factory automated devices at physical centers may now be part of the SEC disclosures too. Any disruption due to any cybersecurity breach can have a lasting impact on the operations and safety systems and hence the governance becomes imperative.
In summary, the SEC rules 2025 show a broader shift in perspective by mandating cybersecurity incident disclosures and not just limit its view and treat it as an IT issue only.
These rules also increase the compliance burden for companies and highlight the imperative need to consider cybersecurity as an important aspect of company’s business strategy. The Responsible use of AI enables automating incident detection and response, streamlining disclosure workflows, identifying vulnerabilities and threats, risk scoring based on severity, and establishing a continuous monitoring and governance mechanism.
