Cybersecurity incident disclosure
Cybersecurity incident disclosure in Trade and Geopolitical Risk sits at the intersection of two fast-moving enforcement tracks: the U.S. Securities and Exchange Commission's 2023 final rule requiring public companies to report material cyber incidents within four business days on Form 8-K, and the European Union Agency for Cybersecurity's expanding incident reporting mandates under NIS2, which took effect in October 2024. For firms with cross-border supply chains or dual-listed entities, the disclosure timelines and materiality thresholds under these two regimes do not align. Compliance teams are currently working through that gap, particularly where a breach touches trade infrastructure, sanctioned-jurisdiction vendors, or controlled-technology partners.
Watch
- SEC Form 8-K Item 1.05: materiality determination process under active staff scrutiny
- NIS2 Directive 72-hour initial reporting window now enforceable across EU member states
- CISA binding operational directives on federal contractors with commercial trade exposure
- Vendor contract language: does your indemnification clause survive a disclosure-triggered investigation?
Recent material activity in Trade & Geopolitical Risk
-
OFAC designates 14 entities linked to Russian defense procurement network
The Treasury Department's Office of Foreign Assets Control added 14 entities and 6 individuals to the Specially Designated Nationals list for their roles in procuring critical technology components for Russia's defense i…
Read a full sample brief → -
BIS adds 22 Chinese semiconductor entities to Entity List for advanced chip diversion
The Bureau of Industry and Security expanded export controls targeting Chinese semiconductor entities found to be diverting advanced computing chips through third-country intermediaries. New license requirements affect i…
Read a full sample brief →