Board Reporting on Cyber Risk Under SOX and SEC Rules
The Sarbanes-Oxley Act (SOX) and Securities and Exchange Commission (SEC) regulations create explicit obligations for public company boards to understand, oversee, and report on cybersecurity risks. These requirements have sharpened considerably in recent years, reflecting the SEC's recognition that cyber incidents pose material threats to company operations and shareholder value. Your board must establish a governance framework that satisfies legal requirements while providing meaningful insight into your organization's cyber posture.
The SOX Foundation: Internal Control Assessment
Section 404 of the Sarbanes-Oxley Act (15 U.S.C. § 7262) requires management to assess the effectiveness of internal controls over financial reporting and report findings annually. Cybersecurity directly impacts this assessment. A successful cyberattack on financial systems, data integrity controls, or access management can constitute a material weakness in internal controls. Your board should ensure that cyber risk assessments explicitly inform your Section 404 evaluations. This means your IT security team and internal audit function must collaborate to test controls protecting financial systems, validate incident response procedures, and document any control deficiencies related to cyber threats.
Practically, this requires your compliance and audit teams to answer: Do we have adequate detective and preventive controls against unauthorized access to financial systems? Have we tested our ability to identify and respond to data breaches affecting financial records? Your auditors will expect documented evidence of these assessments.
SEC Disclosure Requirements and Materiality
The SEC's cybersecurity disclosure rules (17 CFR § 229.106) and related guidance require public companies to disclose cybersecurity risks and incidents that are material to investors. Under SEC standards, materiality is determined by whether a reasonable investor would consider the information important in making an investment decision. A significant cyber incident or material vulnerability affecting business operations, customer data, or competitive position typically meets this threshold.
Your board must understand what constitutes a reportable cyber event. The SEC expects companies to disclose material cybersecurity incidents within four business days of determining that an incident is material (17 CFR § 229.106(b)). This timeline is tight and requires real-time incident assessment capabilities. You should establish a clear protocol: when a cyber incident occurs, your incident response team must immediately engage legal counsel and your disclosure committee to evaluate materiality. Do not wait for a full forensic investigation to assess whether disclosure is required—the assessment must occur quickly based on available information.
Audit Committee Oversight Obligations
While not explicitly named in SOX, the Audit Committee's role in overseeing internal controls and financial reporting necessarily extends to cybersecurity governance. The SEC and stock exchange rules (including NYSE Listed Company Manual Section 303A.07) expect audit committees to oversee cybersecurity strategy, risk tolerance, and incident response. Your audit committee should receive quarterly or semi-annual cyber risk reports addressing:
• Threat landscape changes and industry-specific risks affecting your company
• Status of critical security initiatives and remediation of identified vulnerabilities
• Incidents that occurred (even if not material) and lessons learned
• Board-level cyber risk appetite and whether current controls align with that appetite
• Key metrics on security posture, such as patch management rates, phishing simulation results, and access control reviews
Practical Board Reporting Framework
Establish a standardized reporting cadence and format. Most effective boards receive:
Quarterly updates covering threat environment, incident activity, and remediation progress. These should focus on business impact and management decisions, not technical details.
Annual deep dives on cyber strategy alignment with business objectives, third-party risk management (especially vendors with access to financial systems), and adequacy of budget and staffing for cybersecurity.
Immediate incident reports when a potential material incident occurs, with preliminary impact assessment and disclosure considerations.
Your reports should address the connection between cyber risk and financial reporting reliability. For Section 404 purposes, document how cyber incidents would be identified and escalated. Link cyber risk management to your overall enterprise risk framework. The board should know: What is our cyber risk tolerance? How does management's cyber strategy align with shareholder expectations? Are we investing appropriately relative to our industry and risk profile?
Documentation and Governance
Maintain documented evidence that your board received cyber risk information and deliberated on management's response. Board minutes should reflect discussion of material cyber risks, questions asked, and decisions made regarding risk acceptance or remediation. This documentation supports your defense that the board exercised reasonable oversight under SOX and SEC standards.
By treating cyber risk as integral to your SOX compliance and SEC disclosure obligations—rather than a separate IT issue—your board fulfills legal requirements while building genuinely effective oversight of a critical business risk.