A Year in the Making: Evaluating SEC Cybersecurity Disclosure Rule Compliance Through Public Company Case Studies

Author

Katherine KuliFollow

Date of Graduation

5-2025

Document Type

Thesis

Degree Name

Bachelor of Science

Degree Level

Undergraduate

Department

Accounting

Advisor/Mentor

Bryan, Barry

Abstract

This thesis evaluates public company compliance with the SEC’s 2023 cybersecurity disclosure rule, which mandates that material cybersecurity incidents be reported within four business days via Form 8-K, Item 1.05. Through case studies of UnitedHealth Group, AT&T, and Krispy Kreme, the research assesses firms’ performance across three key areas: materiality determination, timeliness, and the scope and depth of disclosures. Using a structured benchmarking framework based on SEC guidance, the findings reveal inconsistent compliance, with patterns of vague reporting, selective disclosure, and procedural adherence that falls short of regulatory intent. While Krispy Kreme aligned most closely with SEC expectations, UnitedHealth and AT&T demonstrated gaps that raise concerns about transparency and accountability. The analysis suggests that the effectiveness of the new rule relies not only on its structure but also on consistent enforcement and clearer expectations for follow-up reporting.

Keywords

cybersecurity disclosure, cybersecurity, disclosure rules

Citation

Kuli, K. (2025). A Year in the Making: Evaluating SEC Cybersecurity Disclosure Rule Compliance Through Public Company Case Studies. Accounting Undergraduate Honors Theses Retrieved from https://scholarworks.uark.edu/acctuht/64