The Securities and Exchange Commission (SEC) adopted a set of rules in July 2023 requiring public companies to disclose material cybersecurity incidents, their climate risk management strategies, and the oversight mechanisms their boards have for both variables. This package is not new in spirit but is unprecedented in its depth: for the first time, the regulator is not just asking what happened but how the board is organized to prevent it from occurring.
This is not merely an administrative update. It is a shift in the grammar of corporate governance.
From Voluntary Disclosure to Mandatory Reporting
For years, the disclosure of non-financial risks was a public relations exercise disguised as governance. Companies published their cybersecurity policies in sustainability reports that were never rigorously audited, and boards could boast of "strategic oversight" without any formal mechanisms to verify it. The SEC has closed that gap.
The new regulatory framework operates under a logic that corporate lawyers refer to as disclose or explain: either you disclose the practice or publicly explain why you don’t have it. This mechanism is more coercive than it seems. In theory, any company can opt for the explanation route. In practice, doing so exposes them to scrutiny from voting advisory firms like ISS or Glass Lewis, which penalize the absence of formal controls by recommending votes against directors. The result is a market pressure that acts as an implicit mandate.
The cybersecurity rule—codified in Item 106 of Regulation S-K—requires companies to describe their processes for identifying and managing material risks, the potential effects on the business, and, specifically, the board's role in overseeing cybersecurity threats. It is not enough to have an audit committee review incidents retrospectively; the regulator wants to know how prepared the board is to anticipate them.
In parallel, the climate disclosure rules establish a staggered timeline: larger companies (Large Accelerated Filers) must start with financial risk disclosures in 2025 and greenhouse gas emissions in 2026. Medium-sized companies follow in 2026 and 2028, respectively. That timeline is not generous; for many organizations, building the necessary data infrastructure to meet those requirements takes 18 to 36 months.
Pressure on Board Composition
Here is the point that most analyses on this topic miss: the new rules change not just what is reported but who needs to be at the table to credibly report it.
A board composed entirely of executives with traditional financial and operational backgrounds lacks the technical capacity to oversee a cybersecurity strategy with the granularity that the SEC now demands. The same applies to climate risk: a director who does not understand the difference between Scope 1, 2, and 3 emissions cannot reliably certify that the company is appropriately managing its regulatory exposure on that front.
This is generating an accelerated demand for directors with specialized technical profiles: former Chief Information Security Officers (CISOs), energy infrastructure experts, and engineers experienced in industrial decarbonization. The issue is that this talent market is narrow and expensive. Recruiting a director with genuine credentials in cybersecurity or climate risk comes with significant opportunity costs, both in compensation and in the time it takes to integrate them into board operations.
Companies attempting to address this with accelerated training for their current directors are betting that superficial knowledge meets regulatory standards. This is a gamble that is unlikely to withstand the first material incident under the new rules.
The reform also pressures the committee structure. Historically, the audit committee absorbed almost all risk issues. Today, many boards are creating specific cybersecurity and sustainability committees, multiplying the burden on independent directors and increasing board operating costs. For a company with annual revenues below $500 million, this structural cost can represent between 0.3% and 0.8% of their overhead and administrative expenses, according to projections from the legal sector.
The Cost of Confusing Compliance with Strategy
The biggest operational risk I see in how companies are responding to these rules is the confusion between filling out forms and managing risk. These are not the same objectives, and optimizing for one can undermine the other.
A company that builds its cybersecurity disclosure to satisfy Item 106 without redesigning its internal incident management processes has created a significant legal liability: if a breach occurs, the regulator will have a certified document in hand where the company claimed to have robust controls. The reputational and legal damage from that breach multiplies by the distance between what was stated and what existed.
The same applies to climate risk. Disclosing emissions without a credible management plan behind it is, paradoxically, more costly than not disclosing anything at all, because it turns a regulatory risk into a litigation risk. Institutional investors with ESG mandates are already using climate disclosures to build cases of fiduciary negligence against directors who approved strategies inconsistent with their own public statements.
SEC Chairman Gary Gensler articulated the regulator's goal accurately: to ensure that disclosures are "consistent, comparable, and useful for decision-making." This technical language has a direct implication for boards: the standard is not to disclose more but to disclose accurately enough for an external investor to make an independent risk assessment. The generic boilerplate that characterizes much of the current disclosures will not meet that standard.
The Board as a Strategic Asset, Not a Compliance Structure
Companies that are emerging in a stronger position in this environment are those that treated the new requirements as an opportunity to recalibrate their board architecture, not those who hired an outside firm to draft the minimum disclosures required.
This involves concrete decisions: mapping the technical skill gaps on the current board, designing a director onboarding process with updated criteria, and building an internal reporting mechanism that generates the data the board needs to oversee cybersecurity and climate risk quarterly, not annually. The disclosure process before the SEC should be the last step of that system, not the first.
Companies that invest in that governance infrastructure before compliance deadlines force them to will have a structural advantage: their boards will be better equipped to detect risks before they become material, reducing the likelihood of incidents and, with them, the associated costs of litigation, response, and reputational damage. The SEC's regulatory framework, with all its implementation frictions, is accelerating a differentiation between companies that govern with data and those that govern with documents.
