When do SEC cybersecurity disclosure rules apply to public companies?

SEC Cybersecurity Rules apply to all Exchange Act reporting companies. Form 8-K Item 1.05 (material incident disclosure) was required as of December 18, 2023 for large accelerated filers and June 15, 2024 for all others. Form 10-K Item 1C (annual cybersecurity risk management disclosure) was required in annual reports filed after December 15, 2023 for large accelerated filers. Foreign private issuers have a parallel disclosure framework on Forms 6-K and 20-F.

What AI incidents are material enough to require 8-K disclosure within 4 business days?

Materiality is fact-specific. AI incidents likely to be material: unauthorized access to AI training data containing substantial customer PII; model poisoning that corrupted AI outputs used for financial decisions; adversarial attacks causing AI fraud detection failures with quantifiable financial loss; third-party AI vendor breaches that exposed customer data. AI incidents likely not material: routine model performance degradation (not caused by attack); AI vendor service disruption shorter than a few hours; adversarial attack attempts that were detected and blocked before any harm.

Does model drift (gradual AI performance degradation) require SEC disclosure?

Generally no, unless it results from a security incident (training data poisoning) or materially affects AI used for financial reporting (ICFR implications). Organic model drift — performance degradation due to distribution shift — is an operational quality issue. If drift causes material business harm (significant revenue impact, major product failure), it may require MD&A disclosure as a business risk. If it affects AI in financial reporting, it may require SOX material weakness disclosure. It does not typically meet the definition of a 'cybersecurity incident' for 8-K purposes.

What should 10-K AI cybersecurity risk disclosure contain?

A credible 10-K Item 1C for an AI-intensive company should cover: (1) Third-party AI provider dependency — how you assess and manage risk from AI model providers (OpenAI, Anthropic, cloud AI services); (2) AI model integrity — adversarial attack risk, prompt injection, model poisoning monitoring; (3) Training data security — access controls, encryption, supply chain; (4) AI in financial reporting — ICFR implications if AI generates financial outputs; (5) Board oversight — which committee, how often, what management roles are accountable.

What does the SolarWinds case mean for AI security leaders at public companies?

The SolarWinds case established that CISOs can be personally charged by the SEC for misleading cybersecurity disclosures. For AI security leaders: public disclosures about AI security practices must match internal assessments. If internal reports document known AI security gaps (model poisoning vulnerabilities, inadequate adversarial testing, third-party AI vendor risk that exceeds your management capability), while public 10-K disclosures describe robust AI security programs, there is fraud exposure. AI security leaders should review 10-K cybersecurity language against their actual security posture before filing.

We use a third-party AI model API (OpenAI, Anthropic). What do we need to disclose?

10-K Item 1C should describe your process for assessing and managing third-party cybersecurity risk, including AI model providers. If your business materially depends on a specific AI provider and a breach of that provider could materially affect you, that dependency and your risk management approach should be disclosed. If a third-party AI provider has a security incident that exposes your customer data (sent via API), you must conduct a materiality analysis and may need to file an 8-K. Many companies add AI provider dependency language to their Material Risks and 10-K Item 1A risk factors in addition to Item 1C.

Does AI used for financial reporting create SOX compliance issues?

Yes. AI systems that generate or materially contribute to financial reporting outputs are within the scope of internal controls over financial reporting (ICFR) under Sarbanes-Oxley. Material AI model failures — drift causing systematic errors in revenue recognition models, adversarial manipulation of fraud scoring — could require material weakness disclosure. SOX Section 302 certifications (signed by CEO and CFO) implicitly cover the accuracy of AI-generated financial data. AI teams responsible for financial reporting AI should engage with internal audit and the Audit Committee on ICFR scoping.

How does Tenet AI support SEC cybersecurity incident response for AI systems?

Tenet provides the monitoring infrastructure and forensic record needed for SEC-compliant AI incident response. Tenet's anomaly detection identifies unexpected AI decision patterns that may signal a security incident. When an incident occurs, Tenet's immutable decision logs provide the forensic timeline — when did behavior change, which AI system was affected, what data was involved, and what the impact was. This supports both the 4-business-day materiality determination process (what happened, when, impact scope) and the post-incident 8-K disclosure. Tenet's ongoing monitoring baseline also supports 10-K descriptions of the cybersecurity risk management program.

SEC Cybersecurity Disclosure Rules and AI Systems: 8-K Material Incidents, 10-K Risk Management, and Board Oversight

SEC Cybersecurity Disclosure Rules (17 CFR §§ 229.106, 240.13a-1, 240.13a-11), effective December 2023, require public companies to disclose material cybersecurity incidents within 4 business days on Form 8-K and describe their cybersecurity risk management program annually in Form 10-K. AI systems introduce new material cybersecurity risk categories: model poisoning and adversarial attacks; training data breaches containing customer PII; third-party AI model provider dependency risk; and AI used in financial reporting (internal controls over financial reporting implications). The SEC charged SolarWinds and its CISO personally in 2023 for misleading cybersecurity disclosures — establishing personal liability precedent for security leaders who certify inaccurate security disclosures. AI security leaders at public companies must ensure their 10-K disclosures accurately describe known AI security risks and practices.

Form 8-K Item 1.05: Material AI Cybersecurity Incident Disclosure Within 4 Business Days

SEC Rule 13a-11 requires disclosure within 4 business days after the company determines a cybersecurity incident is material. The 4-day clock starts at the materiality determination, not at discovery. AI incidents that may be material: unauthorized access to AI training data repositories containing customer PII; model poisoning attacks that corrupted AI financial outputs; adversarial attacks causing AI fraud detection to fail at scale; third-party AI vendor breaches exposing customer data through API integrations; and LLM prompt injection enabling customer data exfiltration. Materiality analysis must consider financial impact, regulatory consequences, reputational harm, and the likelihood that reasonable investors would consider the information important. Companies need a defined materiality determination process for AI incidents — who decides, what criteria apply, and what evidence is required.

Form 10-K Item 1C: Annual AI Cybersecurity Risk Management Disclosure

The 10-K must describe: processes for assessing, identifying, and managing material cybersecurity risks (including AI-specific risks); material cybersecurity risks and threats that could materially affect the registrant; whether third-party risk management processes include AI vendors; and board and management oversight of cybersecurity risk. AI-intensive companies should address: third-party AI model provider dependency (OpenAI, Anthropic, AWS Bedrock, Google); AI model integrity risks (adversarial attack, prompt injection, model poisoning); training data security program; and AI systems used in financial reporting that create ICFR exposure. Generic boilerplate without AI-specific content is increasingly inadequate given the prevalence of AI in public company operations.

Board Oversight of AI Cybersecurity Risk

The 10-K must describe the board's role in overseeing cybersecurity risks. For AI-intensive companies, board oversight of AI security should include: the board committee with AI risk oversight responsibility (typically Audit Committee); frequency and depth of AI security briefings to the board; management accountability structure (CISO, CTO, Chief AI Officer) for AI security; and the escalation process from AI security incidents to board-level awareness. Institutional investors and proxy advisors (ISS, Glass Lewis) have increasingly scrutinized the quality of board cybersecurity oversight, including whether directors have relevant AI security expertise. Disclosures about board oversight must accurately reflect actual governance practices — not aspirational descriptions.

SolarWinds Enforcement: Personal CISO Liability and AI Security Disclosure

In October 2023, the SEC charged SolarWinds and its CISO Timothy Brown with fraud and internal control violations for allegedly misleading investors about cybersecurity practices before the SUNBURST attack. The case established that: (1) public cybersecurity disclosures must match internal security assessments; (2) CISOs can be personally named in SEC enforcement actions for misleading disclosures; (3) internal documents showing known security deficiencies while public disclosures claim robust security create fraud exposure. For AI security leaders: 10-K language about AI security practices must accurately reflect what your organization actually does. Known AI security vulnerabilities (model poisoning test failures, known adversarial attack vectors, AI vendor risk that exceeds disclosed risk management capability) that are not disclosed may constitute misleading disclosure.

AI in Financial Reporting: ICFR and SOX Implications

If AI systems generate or materially contribute to financial reporting outputs — revenue recognition models, credit loss estimates, fraud risk scoring, expense classification — those AI systems are part of the internal controls over financial reporting (ICFR) framework. Model drift, adversarial manipulation, or unexpected behavior changes in financial reporting AI could affect the accuracy of reported financials and create material weakness disclosure obligations under SOX Section 302/906. AI teams responsible for financial reporting AI must: include these AI systems in the ICFR scope; document model validation and change control procedures; maintain audit trails of model outputs; and escalate material AI model failures to the CFO and Audit Committee.