The SEC's cybersecurity disclosure rules, which took effect in December 2023 for large accelerated filers and June 2024 for smaller reporting companies, have introduced two new obligations that are reshaping how public companies evaluate and manage their IT service providers.
First, material cybersecurity incidents must be disclosed on Form 8-K within four business days of a materiality determination. Second, companies must describe their cybersecurity risk management strategy, governance, and board oversight in annual 10-K filings.
Neither requirement mentions IT service providers by name. Both affect them directly.
The four-day clock changes incident response math
Before the SEC rule, breach disclosure timelines varied by state — typically 30 to 90 days, with some states allowing even longer. A four-business-day window for material incidents compresses the timeline dramatically and puts pressure on every link in the incident response chain.
For MSPs and MSSPs serving public companies, this means:
- Detection speed matters more. If the service provider doesn't detect an incident promptly, the client can't start the materiality determination clock, which delays disclosure and creates regulatory risk.
- Communication protocols need pre-definition. The provider needs a documented escalation path to the client's legal and executive team — not just the IT department — because materiality determinations involve legal judgment, not just technical assessment.
- Forensic capability is now table stakes. The client needs enough information within days (not weeks) to assess whether an incident is material. Providers who can deliver preliminary forensic findings within 48 hours have a structural advantage.
The SEC didn't regulate IT service providers. It regulated their clients' obligations in a way that makes provider capability a board-level concern.
Annual disclosures put vendor management under a spotlight
The 10-K cybersecurity disclosure requirement asks companies to describe their processes for assessing, identifying, and managing material cybersecurity risks — including risks arising from third-party service providers.
In the first round of annual filings under the new rule, several patterns have emerged:
- Companies are naming specific categories of third-party risk, including cloud infrastructure providers, managed security services, and IT support vendors
- Board-level cybersecurity oversight descriptions frequently reference vendor risk management programs
- Some filers describe specific due diligence procedures for evaluating IT service providers, including SOC 2 requirements and incident response capability assessments
For IT service providers, this creates a new dynamic in the sales process. Prospective clients aren't just evaluating whether a provider can deliver services — they're evaluating whether the provider's security posture is something their board can defend in a public filing.
What public company clients are now asking
MSPs and cybersecurity providers serving public companies report a noticeable shift in procurement questionnaires since the rule took effect. Common new questions include:
| Question category | What the client needs |
|---|---|
| Incident notification timeline | Written commitment to notify within hours, not days |
| Forensic capability | In-house or retained forensic capacity with defined response SLAs |
| Compliance attestations | Current SOC 2 Type II or equivalent, updated annually |
| Board reporting | Ability to provide executive-level incident summaries suitable for board communication |
| Insurance | Cyber liability coverage with limits appropriate to the client's risk profile |
The competitive implications
The SEC rules are creating a dividing line in the IT services market. Providers with mature security practices, current compliance attestations, and documented incident response capabilities are gaining access to public company clients. Providers without these assets are being screened out earlier in the evaluation process.
This isn't limited to large enterprises. Smaller public companies — which now face the same disclosure requirements as their larger counterparts — are applying the same vendor scrutiny, often with less internal expertise to evaluate responses.
For MSPs positioning themselves to serve this market segment, the investment in SOC 2 certification, formalized incident response procedures, and executive-level reporting capability isn't just a compliance exercise. It's a market access requirement.
For businesses evaluating IT providers
If your company files with the SEC, your IT service provider's incident response capability is now part of your disclosure obligation. Ask how fast they can detect, escalate, and provide forensic findings — and get the answer in writing before you sign.