Clawbacks and Cybersecurity: Two Compliance Tests Boards Must Pass

The U.S. Securities and Exchange Commission (SEC) is now enforcing two new initiatives that, together, create a direct test of how well boards manage accountability and risk. A new executive compensation clawback rule, along with cybersecurity disclosure requirements, is reshaping how public companies approach governance and disclosure. It is important for directors and in-house counsel to understand these initiatives and take several key steps now to stay on the right side of legal compliance.

Clawback enforcement begins

The SEC’s Rule 10D-1, adopted in late 2022, now requires listed companies to recover incentive compensation that was based on financial results that were later discovered to have been misstated. This is not a misconduct rule, but rather a no-fault recovery mandate. If financials are restated, executives must repay the excess incentive-based compensation that they incorrectly received, even if they had no role in the error.

Which individuals are covered? These include current and former executives such as the CEO, CFO, principal accounting officer, and any officer with policymaking functions. The recovery window reaches three fiscal years before the restatement date.

Compensation subject to clawback includes performance-based bonuses, equity awards, and other incentive pay tied to reported metrics. Fixed salaries and discretionary, non-financial bonuses are excluded. If the recovery cost outweighs what can be collected, companies must still document “reasonable attempts.”

Big “R” vs. Little “r” restatements

The rule applies to both types of restatements:

• Big “R”: Material errors that require restating prior filings through Form 8-K.
• Little “r”: Immaterial corrections handled in current reports but still tied to prior periods.

Both trigger recovery because investors relied on inaccurate numbers, regardless of scale or intent.

New disclosure requirements

Starting with 2025 Form 10-K filings, companies must:

• Attach their clawback policy as an exhibit.
• Disclose the date of any restatement and the total compensation subject to recovery.
• Report aggregate unrecovered amounts outstanding beyond 180 days.
• Identify any use of impracticability exceptions, such as bankruptcy or cost imbalance.

This is the first year that boards must actively enforce these policies after financial restatements, and investors will expect evidence of follow-through.

Pay transparency under review

The SEC is also scrutinizing whether lengthy compensation disclosures actually help investors. After its May 2025 roundtable, regulators signaled that pages of dense tables may obscure key information. Boards should focus on clarity by explaining how pay aligns with performance rather than relying on excess narrative.

Cybersecurity disclosure rules

The other major shift is the SEC’s 2023 cybersecurity regime. It requires public companies to disclose material cyber incidents within four business days on Form 8-K, unless the U.S. Attorney General authorizes a delay for national security reasons.

Annual Form 10-K filings must now describe:

• Board oversight and committee structure for cyber risk.
• Management’s expertise and role in assessing threats.
• The company’s overall risk-management framework and incident-response process.

The biggest challenge is materiality. Vague statements (“We take cybersecurity seriously”) provide no value, but detailed technical disclosures can expose vulnerabilities. Boards must strike a balance by being clear enough for investors and cautious enough for adversaries.

What boards should do now

1. Update clawback policies. Confirm coverage, calculation method, and enforcement procedures before your next Form 10-K.
2. Coordinate finance and HR. Ensure incentive plans reference the policy and can support a recovery calculation and are included in written agreements with executives.
3. Review committee oversight. Determine whether Compensation or Audit Committees own enforcement authority.
4. Clarify cyber governance. Assign oversight to a Committee with members who understand operational and legal implications.
5. Rehearse incident response. Be ready to assess materiality and make a timely Form 8-K filing.
6. Align disclosure tone. Governance language in filings should match internal policy reality.

The common thread

Both the clawback and cybersecurity rules test whether boards are managing accountability, not just documenting it. Compliance failures in either area quickly become governance red flags.

Boards that integrate these rules into normal oversight and communicate their approach transparently will demonstrate what regulators and investors most want to see now, namely control, credibility, and preparedness.