Get Demo

SEC Cybersecurity Disclosure Rules Explained (Item 1.05)

SEC Cybersecurity Disclosure Rules Explained (Item 1.05) explained for US organizations — clear, practical guidance to satisfy regulators and examiners. Lear

📅 Published: June 2026 🔐 Cybersecurity • Financial • USA ⏱️ 2,200 words

The SEC cybersecurity disclosure rules, codified under Item 1.05 of Form 8-K and related amendments to Regulation S-K and Regulation S-P, require publicly traded companies in the United States to disclose material cybersecurity incidents within four business days of determining materiality and to provide annual updates on their cybersecurity risk management, strategy, and governance. This regulatory framework, effective for most registrants as of December 15, 2023, with smaller reporting companies phased in by June 15, 2024, fundamentally changes how public companies report cyber risks to investors and the SEC, mandating transparency on incident response, board oversight, and management's role in cyber risk programs.

The SEC's Division of Enforcement has already signaled active oversight, with early investigations focusing on whether companies filed timely disclosures and accurately described their cybersecurity governance. For US-based organizations, particularly those in the financial sector, compliance with Item 1.05 is no longer optional—it is a core governance and legal obligation that carries significant enforcement risk.

What Are the SEC Cybersecurity Disclosure Rules?

The SEC cybersecurity disclosure rules, adopted on July 26, 2023, represent the most significant expansion of public company reporting obligations in the cybersecurity domain. The rules amend existing SEC regulations to require registrants to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and to provide enhanced annual disclosures about cybersecurity risk management, strategy, and governance under Item 106 of Regulation S-K.

The core components of the rules include:

The SEC's stated goal is to provide investors with timely, consistent, and comparable information about cybersecurity risks and incidents. As SEC Chair Gary Gensler stated, "Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors." The rules aim to close a gap where some companies waited weeks or months to publicly disclose significant breaches, leaving investors in the dark.

Key Takeaway: The SEC's four-business-day disclosure clock starts when a company determines materiality—not when the incident is discovered. This distinction is critical for compliance. Companies must have robust incident response and materiality assessment procedures in place to meet this tight timeline. Failure to do so can result in SEC enforcement actions, including fines and reputational damage.

Who Must Comply with Item 1.05?

The SEC cybersecurity disclosure rules apply to all domestic registrants that file periodic reports under the Securities Exchange Act of 1934, including:

Importantly, the rules do not apply to private companies, state and local governments, or non-profit organizations that do not file SEC reports. However, companies that are wholly owned subsidiaries of public registrants may still be affected if the parent company is required to disclose incidents at the subsidiary level.

Compliance Warning: The SEC has no materiality threshold exemption for small incidents. Any cybersecurity incident—regardless of size—must be evaluated for materiality. A seemingly minor breach at a subsidiary that exposes sensitive customer data could become material when aggregated across the enterprise. Under-disclosure is a higher enforcement risk than over-disclosure, as the SEC has issued explicit guidance that it will prioritize enforcement actions for companies that fail to make required disclosures in a timely manner.

What Is the Four-Business-Day Timeline?

Under Item 1.05, a registrant must file a Form 8-K disclosing a material cybersecurity incident within four business days after the company determines that the incident is material. This timeline begins only after the company completes its materiality assessment—not when the incident is first detected or reported.

The SEC has provided limited guidance on what constitutes an "incident" for reporting purposes. The rules define a cybersecurity incident as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." This includes:

The materiality determination itself must be made "without unreasonable delay" after discovery of the incident. The SEC has cautioned that companies cannot artificially delay their materiality assessment to extend the disclosure timeline. In practice, most cybersecurity teams are expected to make an initial materiality assessment within 24 to 48 hours of incident confirmation, with the four-business-day clock beginning shortly thereafter.

What Must Be Included in a Form 8-K Incident Disclosure?

When a company determines a cybersecurity incident is material, the Form 8-K disclosure must include:

Notably, the rules do not require companies to disclose specific technical details about the incident that could compromise ongoing law enforcement investigations or expose additional vulnerabilities. However, companies must provide sufficient information for investors to understand the incident's materiality. The SEC has explicitly rejected requests to allow indefinite delays for national security reasons, though the Attorney General can authorize a limited delay on a case-by-case basis.

Additionally, companies may file an initial Form 8-K within the four-business-day window and then amend it later with more details as the investigation unfolds. This "disclose as you go" approach is considered best practice for complex incidents where the full scope may not be known within the initial timeline.

What About Annual Cybersecurity Disclosures?

Beyond incident-specific disclosures, the SEC rules require registrants to provide annual cybersecurity risk management and governance disclosures in their Form 10-K (annual report) or Form 20-F (for foreign private issuers). Item 106 of Regulation S-K requires companies to describe:

These annual disclosures must be updated in subsequent filings if there are material changes to the company's cybersecurity program or governance structure. The SEC has also emphasized that "comply or explain" disclosure is not sufficient—companies must either describe their actual practices or state that they do not have a cybersecurity risk management program in place.

What Are the Enforcement Risks for Non-Compliance?

The SEC's Division of Enforcement has made cybersecurity disclosure a top priority. In 2024, the SEC brought enforcement actions against several major companies for allegedly failing to timely disclose material cybersecurity incidents, including actions against SolarWinds (for misleading disclosures about the SUNBURST attack) and against SS&C Technologies (for failing to disclose a ransomware attack that affected its operations).

Potential consequences of non-compliance include:

The SEC has also signaled that it will scrutinize whether companies have adequate internal controls and procedures in place to identify and escalate incidents for materiality assessment. Companies that fail to implement such controls may face additional charges under the SEC's internal accounting controls rules (Exchange Act Rule 13b2-2).

Ensure Your Organization Meets SEC Cybersecurity Disclosure Requirements

Navigating Item 1.05 and Regulation S-K compliance requires a coordinated approach across legal, compliance, IT security, and executive leadership. CyberSilo's Compliance Standards Automation platform helps US public companies build the incident response, materiality assessment, and governance frameworks needed to satisfy SEC disclosure obligations. Our ThreatHawk SIEM + SOAR solution provides real-time detection, investigation, and reporting capabilities to accelerate your incident response timeline.

How Do the Rules Apply to Financial Sector Companies?

For companies in the financial sector, the SEC cybersecurity disclosure rules add an additional layer of obligation onto existing regulatory frameworks. Financial institutions already subject to GLBA and FTC Safeguards compliance, NYDFS 500 compliance services, or SOX ITGC compliance services must now reconcile these requirements with the SEC's disclosure mandates.

Key considerations for financial sector registrants include:

CyberSilo's contact our security team can help financial sector organizations develop a unified compliance framework that addresses SEC disclosure rules alongside GLBA, NYDFS 500, SOX ITGC, and other regulatory obligations.

What Are the Challenges with Materiality Assessment?

The most challenging aspect of the SEC's cybersecurity disclosure rules is the materiality assessment itself. Unlike financial materiality (which often hinges on quantitative thresholds like revenue percentages), cybersecurity materiality is inherently qualitative and context-dependent. Factors that influence materiality include:

The SEC has explicitly stated that companies cannot use the lack of immediate financial quantification as a reason to delay materiality assessment. Instead, companies must make a qualitative judgment based on the totality of circumstances. This creates a significant administrative burden, as many companies lack the cross-functional processes to quickly evaluate incidents from both a security and business impact perspective.

Best practices include establishing a cross-functional incident response team that includes legal counsel, investor relations, communications, and senior business leadership, all of whom participate in materiality determinations. This team should meet within hours of a significant incident being confirmed to begin the assessment process.

What About Delayed Disclosure for National Security?

The SEC rules include a limited provision for delayed disclosure if the Attorney General of the United States determines that disclosure would pose a substantial risk to national security or public safety. The process for obtaining a delay is:

This process is designed for genuine national security concerns—not for companies that simply want to avoid negative market reactions. The SEC has made clear that economic harm to the company is not a valid basis for delayed disclosure, as the entire purpose of the rule is to inform investors.

Key Takeaway: The SEC's national security delay is extremely limited and rarely granted outside of incidents involving classified systems or critical infrastructure that directly impacts national security. Most companies should assume they will be required to disclose within four business days of materiality determination. Attempting to game the delay process can result in additional enforcement action.

How Does the SEC's Rule Relate to Other Incident Reporting Requirements?

The SEC's cybersecurity disclosure rules do not replace or preempt existing incident reporting requirements—instead, they add an additional layer of public notification on top of existing obligations. Key regulatory intersections include:

Companies must have a coordinated incident response and legal notification matrix that maps all applicable reporting obligations by jurisdiction, industry, and regulator. CyberSilo's SEC cyber disclosure compliance services help organizations build this matrix and automate notification workflows.

What Are the Governance Implications for Boards and Management?

The SEC's rules significantly elevate the governance expectations for both boards of directors and senior management. Under Item 106, registrants must describe:

For many companies, these disclosure requirements will drive real changes in governance structure. Boards that previously spent only a few minutes per meeting on cybersecurity must now demonstrate active oversight. Management teams must formalize their cybersecurity leader's position (often requiring a CISO with a direct reporting line to the board). Organizations should leverage US cybersecurity compliance services to benchmark their current governance against SEC expectations.

What Are the Best Practices for SEC Compliance?

Based on the SEC's enforcement actions and guidance, organizations subject to the rules should implement the following best practices:

1

Establish a Cross-Functional Incident Response and Disclosure Committee

Create a formal committee that includes the CISO, general counsel, CFO, investor relations head, and the board's audit committee chair. This committee should have a defined charter, meeting schedule (including emergency activation protocols), and escalation path to the CEO and board. The committee must be empowered to make materiality determinations within hours of a significant incident being confirmed.

2

Develop a Pre-Written Form 8-K Template

Prepare a draft Form 8-K disclosure template that can be quickly customized for different incident types (ransomware, data breach, supply chain, etc.). The template should include placeholder language for each required disclosure element—nature, scope, timing, and impact—so the legal team can rapidly populate it during an active incident. Pre-approve the template through legal and compliance channels to reduce friction during a crisis.

3

Implement Technical Controls for Incident Detection and Materiality Assessment

Deploy ThreatHawk SIEM + SOAR to provide real-time threat detection, automated incident correlation, and a structured case management workflow that logs the timeline of incident discovery, containment, and materiality assessment. This technical foundation provides defensible evidence of the company's decision-making process for SEC examiners and reduces the risk of allegations of "unreasonable delay" in making materiality determinations.

4

Conduct Tabletop Exercises Specifically Focused on SEC Disclosure

Run quarterly tabletop exercises that simulate a material cyber incident and walk through the full SEC disclosure timeline. These exercises should test the disclosure committee's ability to make a timely materiality assessment, populate the Form 8-K template, and coordinate with external legal counsel, PR firms, and investor relations. Document the findings and update playbooks accordingly.

5

Update Board and Management Disclosures Annually

Review and update the Item 106 disclosure in the annual Form 10-K each year, reflecting any changes to the company's cybersecurity program, governance structure, or incident response capabilities. The SEC expects these disclosures to be accurate and current—companies cannot simply copy-paste last year's language if their program has evolved.

Get a Compliance Assessment for SEC Cybersecurity Disclosure Rules

CyberSilo's Compliance Standards Automation platform can assess your current incident response, governance, and disclosure practices against SEC requirements. Our team of former SOC analysts, CISOs, and GRC professionals will review your policies, run a simulated incident through your disclosure process, and deliver a gap analysis with prioritized remediation steps. Schedule your assessment today.

Our Conclusion & Recommendation

The SEC's cybersecurity disclosure rules under Item 1.05 and Regulation S-K Item 106 represent a fundamental shift in how US public companies must communicate cyber risks to investors. With a four-business-day disclosure window from materiality determination, robust annual governance disclosures, and an active SEC enforcement posture, compliance requires a coordinated effort across legal, security, and executive leadership. Organizations that treat these rules as a checklist item rather than a strategic imperative face significant enforcement, litigation, and reputational risk.

CyberSilo recommends that public companies subject to the rules invest in a comprehensive compliance program that integrates incident response automation (via ThreatHawk SIEM + SOAR), cross-functional disclosure committee procedures, and annual governance disclosure updates. Our Compliance Standards Automation platform is specifically designed to help organizations build and sustain these capabilities, with pre-built workflows aligned to SEC requirements and automated materiality assessment tools. Contact our team to schedule a compliance assessment and ensure your organization is prepared for the next incident.

Ready to Strengthen Your SEC Cybersecurity Disclosure Compliance?

Schedule a free, no-obligation consultation with our SEC compliance specialists.

📰 More from CyberSilo

Latest Articles

Stay ahead of evolving cyber threats with our expert insights

Privacy Compliance for US Online Retailers (CCPA & State Laws)
SIEM
Jun 23, 2026 ⏱ 17 min

Privacy Compliance for US Online Retailers (CCPA & State Laws)

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on privacy compliance for us online retailers (ccpa & s

Read Article
Holiday Season Cyber Threats for Retailers
SIEM
Jun 23, 2026 ⏱ 10 min

Holiday Season Cyber Threats for Retailers

Holiday Season Cyber Threats for Retailers explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentia

Read Article
eCommerce Privacy in Canada: PIPEDA & Law 25
SIEM
Jun 23, 2026 ⏱ 10 min

eCommerce Privacy in Canada: PIPEDA & Law 25

See how CyberSilo helps you strengthen your security posture for Canadian organizations. Practical guidance on ecommerce privacy in canada with expert support.

Read Article
Cybersecurity Compliance for US Schools and Universities
SIEM
Jun 23, 2026 ⏱ 15 min

Cybersecurity Compliance for US Schools and Universities

See how CyberSilo helps you strengthen your security posture for US organizations. Practical guidance on cybersecurity compliance for us schools and universi

Read Article
Protecting Student Data: FERPA and COPPA for EdTech
SIEM
Jun 23, 2026 ⏱ 14 min

Protecting Student Data: FERPA and COPPA for EdTech

Protecting Student Data explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with CyberSilo.

Read Article
Ransomware in K-12 and Higher Ed: Defense Strategies
SIEM
Jun 23, 2026 ⏱ 11 min

Ransomware in K-12 and Higher Ed: Defense Strategies

Ransomware in K-12 and Higher Ed explained for US organizations — clear, practical guidance to strengthen your security posture. Learn the essentials with Cy

Read Article
✅ Link copied!