In July 2023, the SEC adopted final rules on cybersecurity disclosure that took effect in December of that year. Public companies now have to disclose material cybersecurity incidents on Form 8-K within four business days of determining that the incident is material. They also have to describe their cybersecurity risk management, strategy, and governance in their annual 10-K filing.
If your law firm or CPA practice isn’t publicly traded, this rule doesn’t apply to you directly. But if any of your clients are public companies, or if you do work that feeds into a public company’s financial reporting or their cybersecurity disclosures, the rule absolutely reaches you, and most small firms haven’t thought about it.
What changed for private firms serving public clients
The short version is that your public company clients now have affirmative obligations to disclose breaches quickly, and they have to understand their third-party exposure well enough to know when an incident at a vendor or a service provider becomes their problem.
Your firm, if it holds material confidential information about a public company, is one of those third parties.
If your CPA firm is auditing a public company and your firm gets hit with ransomware in the middle of audit season, that’s not just your problem. If the ransomware exposed your client’s draft financial data, that’s potentially a material cybersecurity incident for your client, and the disclosure clock starts ticking on their side. If they have to file an 8-K because of your breach, they need to know about it fast, and they need the information to be accurate.
The SEC’s adopting release is explicit that the materiality determination includes cybersecurity incidents that occur at third parties to whom the company has outsourced services or otherwise provided data. Your firm is a third party in that sense.
Same logic applies if your law firm handles securities work, M&A due diligence, litigation involving public company financial disclosures, or anything else where your firm holds information the public company will eventually have to disclose. A breach at your firm that exposes non-public material information is an event the public company has to evaluate for disclosure.
The practical implications
First, your client engagement letters and retention agreements with public companies are going to start referencing this rule. You’ll see clauses requiring that you notify them within hours (not days, hours) of discovering a security incident affecting their information. You’ll see requirements for specific types of cybersecurity controls. You’ll see audit rights where the client can request documentation of your security posture.
Some of these clauses are already appearing in contracts. More are coming. Firms that can meet those clauses keep their public company work. Firms that can’t, don’t.
Second, your own incident response plan now needs a public-company-notification component. When your firm detects a security incident, the investigation process should immediately identify which clients had data in the affected systems. For clients that are public companies, the notification to them isn’t optional and isn’t slow. Most of the IR firms I’ve worked with have added this step to their standard playbook since the rule took effect, but if your firm’s IR plan still reads the way it did in 2020, it doesn’t account for this.
Third, your firm’s own cybersecurity posture is now part of your due diligence story with public company clients. They can’t include you in their third-party risk management program if you can’t answer questions about your controls. Their outside counsel or audit committee is going to want to see that your firm has MFA, endpoint protection, tested backups, an incident response plan, and a cyber insurance policy. They’ll ask for attestations. Some will ask for SOC 2 reports.
The firms that serve public companies are quietly being pushed into a higher baseline for cybersecurity documentation. Firms that don’t meet the baseline lose clients, and the firms that do lose them to end up with quiet conversations at the partner level about why.
The state breach laws haven’t gone away
While the SEC rule has gotten most of the attention, state data breach notification laws have been quietly getting stricter too. Every U.S. state now has a breach notification law. The NCSL maintains a summary of each state’s requirements. Most of them require notification to affected individuals and state attorneys general within defined time windows. Some require notification of specific state agencies. Some impose specific content requirements on the notification letter.
For a law firm or CPA practice with clients in multiple states, a single breach can trigger notification obligations under several different state regimes simultaneously. The clocks aren’t synchronized. Some states give you 30 days. Some give you 60. Some are calendar days. Some are business days. California’s law is particularly specific. Texas, New York, and Massachusetts all have their own quirks.
Your firm’s IR plan has to account for this. When you have a breach involving client data, someone has to figure out which jurisdictions are affected and what each one requires, on a timeline that’s usually shorter than the time it takes to fully investigate the incident.
If you haven’t had this conversation with outside counsel or a breach response firm before an incident, you’re going to have it during an incident, which is the worst time for a complicated legal conversation.
What to actually do
Three things, if you serve public company clients or handle sensitive data in regulated industries.
One. Read your existing client engagement letters. Identify clauses requiring breach notification, specific security controls, or right to audit. Verify that your firm can meet them today.
Two. Update your incident response plan to include a client notification workflow. When a breach happens, the first hours are about containment. The next hours, in parallel, are about figuring out which clients need to be notified and on what timeline.
Three. Have a relationship in place with outside breach counsel and a reputable incident response firm. Most cyber insurance policies include these as panel services. Using them pre-incident to review your plan and your contracts is a lot less expensive than meeting them for the first time at 2 a.m. on the morning of a ransomware attack.
The regulatory environment around breach disclosure is getting more aggressive every year, not less. The SEC rule in 2023 was a significant shift. State laws keep tightening. The FTC Safeguards Rule for non-banking financial institutions had its own updates in 2023. None of this is going away.
The firms that handle this well treat it as operational infrastructure, not as a compliance checkbox. The firms that don’t, end up in the news.