The SEC cybersecurity disclosure rules, codified under Item 1.05 of Form 8-K and related amendments to Regulation S-K and Regulation S-P, require publicly traded companies in the United States to disclose material cybersecurity incidents within four business days of determining materiality and to provide annual updates on their cybersecurity risk management, strategy, and governance. This regulatory framework, effective for most registrants as of December 15, 2023, with smaller reporting companies phased in by June 15, 2024, fundamentally changes how public companies report cyber risks to investors and the SEC, mandating transparency on incident response, board oversight, and management's role in cyber risk programs.
The SEC's Division of Enforcement has already signaled active oversight, with early investigations focusing on whether companies filed timely disclosures and accurately described their cybersecurity governance. For US-based organizations, particularly those in the financial sector, compliance with Item 1.05 is no longer optional—it is a core governance and legal obligation that carries significant enforcement risk.
What Are the SEC Cybersecurity Disclosure Rules?
The SEC cybersecurity disclosure rules, adopted on July 26, 2023, represent the most significant expansion of public company reporting obligations in the cybersecurity domain. The rules amend existing SEC regulations to require registrants to disclose material cybersecurity incidents under Item 1.05 of Form 8-K and to provide enhanced annual disclosures about cybersecurity risk management, strategy, and governance under Item 106 of Regulation S-K.
The core components of the rules include:
- Item 1.05 Form 8-K Incident Disclosure: A registrant must disclose any cybersecurity incident it determines to be material within four business days of making that materiality determination. The disclosure must describe the nature, scope, and timing of the incident, as well as its material impact or reasonably likely material impact on the company.
- Item 106 Regulation S-K Annual Risk Management and Governance Disclosure: Registrants must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether they engage third-party assessors. They must also disclose the board's oversight of cybersecurity risks and management's role in implementing cybersecurity policies.
- Regulation S-P Amendments: The rules extend to broker-dealers, investment companies, and registered investment advisers, requiring them to implement written policies and procedures for protecting customer records and information, including incident response programs.
The SEC's stated goal is to provide investors with timely, consistent, and comparable information about cybersecurity risks and incidents. As SEC Chair Gary Gensler stated, "Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors." The rules aim to close a gap where some companies waited weeks or months to publicly disclose significant breaches, leaving investors in the dark.
Key Takeaway: The SEC's four-business-day disclosure clock starts when a company determines materiality—not when the incident is discovered. This distinction is critical for compliance. Companies must have robust incident response and materiality assessment procedures in place to meet this tight timeline. Failure to do so can result in SEC enforcement actions, including fines and reputational damage.
Who Must Comply with Item 1.05?
The SEC cybersecurity disclosure rules apply to all domestic registrants that file periodic reports under the Securities Exchange Act of 1934, including:
- U.S.-based public companies listed on national securities exchanges (NYSE, NASDAQ, etc.)
- Foreign private issuers that file on domestic forms (Form 20-F, Form 6-K)
- Smaller reporting companies (SRCs) and emerging growth companies (EGCs), with an extended compliance date for Item 1.05 to June 15, 2024
- Registered investment advisers and broker-dealers subject to Regulation S-P
Importantly, the rules do not apply to private companies, state and local governments, or non-profit organizations that do not file SEC reports. However, companies that are wholly owned subsidiaries of public registrants may still be affected if the parent company is required to disclose incidents at the subsidiary level.
Compliance Warning: The SEC has no materiality threshold exemption for small incidents. Any cybersecurity incident—regardless of size—must be evaluated for materiality. A seemingly minor breach at a subsidiary that exposes sensitive customer data could become material when aggregated across the enterprise. Under-disclosure is a higher enforcement risk than over-disclosure, as the SEC has issued explicit guidance that it will prioritize enforcement actions for companies that fail to make required disclosures in a timely manner.
What Is the Four-Business-Day Timeline?
Under Item 1.05, a registrant must file a Form 8-K disclosing a material cybersecurity incident within four business days after the company determines that the incident is material. This timeline begins only after the company completes its materiality assessment—not when the incident is first detected or reported.
The SEC has provided limited guidance on what constitutes an "incident" for reporting purposes. The rules define a cybersecurity incident as "an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein." This includes:
- Data breaches involving unauthorized exfiltration, alteration, or destruction of data
- Ransomware attacks that encrypt systems and data
- Denial-of-service attacks that disrupt business operations
- Insider threats involving unauthorized access or misuse of systems
- Supply chain attacks that compromise third-party systems connected to the registrant
The materiality determination itself must be made "without unreasonable delay" after discovery of the incident. The SEC has cautioned that companies cannot artificially delay their materiality assessment to extend the disclosure timeline. In practice, most cybersecurity teams are expected to make an initial materiality assessment within 24 to 48 hours of incident confirmation, with the four-business-day clock beginning shortly thereafter.
What Must Be Included in a Form 8-K Incident Disclosure?
When a company determines a cybersecurity incident is material, the Form 8-K disclosure must include:
- Nature, scope, and timing of the incident, including when it occurred and when it was discovered
- Material impact or reasonably likely material impact on the company's financial condition, operations, or business strategy
- Remediation status and any actions taken or planned to address the incident
- Contact information for the company's media or investor relations team
Notably, the rules do not require companies to disclose specific technical details about the incident that could compromise ongoing law enforcement investigations or expose additional vulnerabilities. However, companies must provide sufficient information for investors to understand the incident's materiality. The SEC has explicitly rejected requests to allow indefinite delays for national security reasons, though the Attorney General can authorize a limited delay on a case-by-case basis.
Additionally, companies may file an initial Form 8-K within the four-business-day window and then amend it later with more details as the investigation unfolds. This "disclose as you go" approach is considered best practice for complex incidents where the full scope may not be known within the initial timeline.
What About Annual Cybersecurity Disclosures?
Beyond incident-specific disclosures, the SEC rules require registrants to provide annual cybersecurity risk management and governance disclosures in their Form 10-K (annual report) or Form 20-F (for foreign private issuers). Item 106 of Regulation S-K requires companies to describe:
- Risk management and strategy: The company's processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether it relies on third-party service providers, its incident response capabilities, and how it integrates cybersecurity into its overall enterprise risk management program
- Governance: The board of directors' oversight of cybersecurity risks, including whether any board committee is responsible for cybersecurity, how the board receives updates, and whether the board has designated a cybersecurity expert (though the SEC stopped short of requiring a designated expert)
- Management's role: How management evaluates and manages cybersecurity risks, including which management positions are responsible, their cybersecurity expertise, their reporting structure to the board, and frequency of reporting
These annual disclosures must be updated in subsequent filings if there are material changes to the company's cybersecurity program or governance structure. The SEC has also emphasized that "comply or explain" disclosure is not sufficient—companies must either describe their actual practices or state that they do not have a cybersecurity risk management program in place.
What Are the Enforcement Risks for Non-Compliance?
The SEC's Division of Enforcement has made cybersecurity disclosure a top priority. In 2024, the SEC brought enforcement actions against several major companies for allegedly failing to timely disclose material cybersecurity incidents, including actions against SolarWinds (for misleading disclosures about the SUNBURST attack) and against SS&C Technologies (for failing to disclose a ransomware attack that affected its operations).
Potential consequences of non-compliance include:
- Civil monetary penalties ranging from thousands to millions of dollars depending on the severity and duration of the violation
- Cease-and-desist orders requiring corrective actions and ongoing reporting to the SEC
- Disgorgement of profits gained from delayed disclosure (e.g., insider trading or inflated stock prices)
- Shareholder lawsuits under Section 10(b) of the Exchange Act for material misstatements or omissions
- Reputational damage with investors, customers, and regulators
The SEC has also signaled that it will scrutinize whether companies have adequate internal controls and procedures in place to identify and escalate incidents for materiality assessment. Companies that fail to implement such controls may face additional charges under the SEC's internal accounting controls rules (Exchange Act Rule 13b2-2).
Ensure Your Organization Meets SEC Cybersecurity Disclosure Requirements
Navigating Item 1.05 and Regulation S-K compliance requires a coordinated approach across legal, compliance, IT security, and executive leadership. CyberSilo's Compliance Standards Automation platform helps US public companies build the incident response, materiality assessment, and governance frameworks needed to satisfy SEC disclosure obligations. Our ThreatHawk SIEM + SOAR solution provides real-time detection, investigation, and reporting capabilities to accelerate your incident response timeline.
How Do the Rules Apply to Financial Sector Companies?
For companies in the financial sector, the SEC cybersecurity disclosure rules add an additional layer of obligation onto existing regulatory frameworks. Financial institutions already subject to GLBA and FTC Safeguards compliance, NYDFS 500 compliance services, or SOX ITGC compliance services must now reconcile these requirements with the SEC's disclosure mandates.
Key considerations for financial sector registrants include:
- Overlapping incident notification requirements: NYDFS Part 500 requires covered entities to notify the superintendent within 72 hours of a cybersecurity event, while the SEC's four-business-day clock runs on materiality determination. Companies must align their incident response playbooks to satisfy both timelines simultaneously.
- Privacy law intersections: Incidents involving personal financial information may trigger notification obligations under state data breach laws (e.g., CCPA/CPRA, Massachusetts Data Protection Law), GLBA's Safeguards Rule, and the FTC's Privacy Rule in addition to the SEC disclosure requirements.
- Third-party vendor management: Financial sector companies must disclose their processes for assessing third-party cybersecurity risks in their annual SEC disclosures, which aligns with existing regulatory expectations under NYDFS 500 (third-party security requirements) and the FFIEC's IT examination guidance.
- Board expertise: While the SEC does not mandate a board cybersecurity expert, many financial regulators do. For example, NYDFS 500 requires board oversight of cybersecurity programs, and the OCC's heightened standards for large banks expect board-level cybersecurity competence.
CyberSilo's contact our security team can help financial sector organizations develop a unified compliance framework that addresses SEC disclosure rules alongside GLBA, NYDFS 500, SOX ITGC, and other regulatory obligations.
What Are the Challenges with Materiality Assessment?
The most challenging aspect of the SEC's cybersecurity disclosure rules is the materiality assessment itself. Unlike financial materiality (which often hinges on quantitative thresholds like revenue percentages), cybersecurity materiality is inherently qualitative and context-dependent. Factors that influence materiality include:
- Data sensitivity: Exposure of personally identifiable information (PII), protected health information (PHI), trade secrets, or financial account data generally elevates materiality
- Operational impact: Disruption to critical systems, manufacturing operations, or customer-facing platforms
- Legal and regulatory consequences: Potential litigation, regulatory fines, or contractual penalties
- Reputational harm: Loss of customer trust, brand damage, or decreased stock price
- Aggregation of incidents: A series of smaller incidents that, when aggregated, become material
The SEC has explicitly stated that companies cannot use the lack of immediate financial quantification as a reason to delay materiality assessment. Instead, companies must make a qualitative judgment based on the totality of circumstances. This creates a significant administrative burden, as many companies lack the cross-functional processes to quickly evaluate incidents from both a security and business impact perspective.
Best practices include establishing a cross-functional incident response team that includes legal counsel, investor relations, communications, and senior business leadership, all of whom participate in materiality determinations. This team should meet within hours of a significant incident being confirmed to begin the assessment process.
What About Delayed Disclosure for National Security?
The SEC rules include a limited provision for delayed disclosure if the Attorney General of the United States determines that disclosure would pose a substantial risk to national security or public safety. The process for obtaining a delay is:
- Initial request: The registrant must notify the SEC and request a delay, providing a written explanation of why disclosure would harm national security
- Attorney General determination: The Attorney General (or their designee) must make a written determination that delay is warranted
- Disclosure timeline: If approved, the SEC may extend the disclosure deadline by up to 60 days, with renewal possible for an additional 60 days
- No automatic delay: Unlike CIRCIA (which allows for delayed reporting to CISA), the SEC rules do not provide for automatic delays—each request is evaluated on its merits
This process is designed for genuine national security concerns—not for companies that simply want to avoid negative market reactions. The SEC has made clear that economic harm to the company is not a valid basis for delayed disclosure, as the entire purpose of the rule is to inform investors.
Key Takeaway: The SEC's national security delay is extremely limited and rarely granted outside of incidents involving classified systems or critical infrastructure that directly impacts national security. Most companies should assume they will be required to disclose within four business days of materiality determination. Attempting to game the delay process can result in additional enforcement action.
How Does the SEC's Rule Relate to Other Incident Reporting Requirements?
The SEC's cybersecurity disclosure rules do not replace or preempt existing incident reporting requirements—instead, they add an additional layer of public notification on top of existing obligations. Key regulatory intersections include:
- CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act): Requires critical infrastructure entities to report incidents to CISA within 72 hours and ransomware payments within 24 hours. CIRCIA reports are submitted to CISA and are not publicly available (unless the government chooses to disclose), whereas SEC Form 8-K filings are publicly available on EDGAR.
- HIPAA breach notification: Healthcare entities must notify HHS OCR and affected individuals within 60 days of breach discovery. SEC disclosure may be required much sooner if the incident is material to the company's financial condition.
- State data breach laws: All 50 states and DC have data breach notification laws, most with deadlines ranging from "without unreasonable delay" to 30 days. SEC disclosure may trigger public awareness that requires coordinated state notifications.
- FDIC/OCC/FRB requirements: Banking regulators require financial institutions to report computer-security incidents that could affect the safety and soundness of the bank within 36 hours.
Companies must have a coordinated incident response and legal notification matrix that maps all applicable reporting obligations by jurisdiction, industry, and regulator. CyberSilo's SEC cyber disclosure compliance services help organizations build this matrix and automate notification workflows.
What Are the Governance Implications for Boards and Management?
The SEC's rules significantly elevate the governance expectations for both boards of directors and senior management. Under Item 106, registrants must describe:
- Board oversight: Which board committee or individual is responsible for cybersecurity oversight, how the board receives updates, and the frequency of reporting. This means boards cannot simply relegate cybersecurity to a subcommittee without clear disclosure of how it works.
- Management expertise: The registrant must disclose which management positions are responsible for cybersecurity risk management, their specific cybersecurity expertise (including years of experience, certifications, and relevant background), and their reporting structure to the board.
- Risk integration: How cybersecurity risk management is integrated into the company's overall enterprise risk management (ERM) program. Companies that silo cybersecurity from ERM must disclose this approach.
For many companies, these disclosure requirements will drive real changes in governance structure. Boards that previously spent only a few minutes per meeting on cybersecurity must now demonstrate active oversight. Management teams must formalize their cybersecurity leader's position (often requiring a CISO with a direct reporting line to the board). Organizations should leverage US cybersecurity compliance services to benchmark their current governance against SEC expectations.
What Are the Best Practices for SEC Compliance?
Based on the SEC's enforcement actions and guidance, organizations subject to the rules should implement the following best practices:
Establish a Cross-Functional Incident Response and Disclosure Committee
Create a formal committee that includes the CISO, general counsel, CFO, investor relations head, and the board's audit committee chair. This committee should have a defined charter, meeting schedule (including emergency activation protocols), and escalation path to the CEO and board. The committee must be empowered to make materiality determinations within hours of a significant incident being confirmed.
Develop a Pre-Written Form 8-K Template
Prepare a draft Form 8-K disclosure template that can be quickly customized for different incident types (ransomware, data breach, supply chain, etc.). The template should include placeholder language for each required disclosure element—nature, scope, timing, and impact—so the legal team can rapidly populate it during an active incident. Pre-approve the template through legal and compliance channels to reduce friction during a crisis.
Implement Technical Controls for Incident Detection and Materiality Assessment
Deploy ThreatHawk SIEM + SOAR to provide real-time threat detection, automated incident correlation, and a structured case management workflow that logs the timeline of incident discovery, containment, and materiality assessment. This technical foundation provides defensible evidence of the company's decision-making process for SEC examiners and reduces the risk of allegations of "unreasonable delay" in making materiality determinations.
Conduct Tabletop Exercises Specifically Focused on SEC Disclosure
Run quarterly tabletop exercises that simulate a material cyber incident and walk through the full SEC disclosure timeline. These exercises should test the disclosure committee's ability to make a timely materiality assessment, populate the Form 8-K template, and coordinate with external legal counsel, PR firms, and investor relations. Document the findings and update playbooks accordingly.
Update Board and Management Disclosures Annually
Review and update the Item 106 disclosure in the annual Form 10-K each year, reflecting any changes to the company's cybersecurity program, governance structure, or incident response capabilities. The SEC expects these disclosures to be accurate and current—companies cannot simply copy-paste last year's language if their program has evolved.
Get a Compliance Assessment for SEC Cybersecurity Disclosure Rules
CyberSilo's Compliance Standards Automation platform can assess your current incident response, governance, and disclosure practices against SEC requirements. Our team of former SOC analysts, CISOs, and GRC professionals will review your policies, run a simulated incident through your disclosure process, and deliver a gap analysis with prioritized remediation steps. Schedule your assessment today.
Our Conclusion & Recommendation
The SEC's cybersecurity disclosure rules under Item 1.05 and Regulation S-K Item 106 represent a fundamental shift in how US public companies must communicate cyber risks to investors. With a four-business-day disclosure window from materiality determination, robust annual governance disclosures, and an active SEC enforcement posture, compliance requires a coordinated effort across legal, security, and executive leadership. Organizations that treat these rules as a checklist item rather than a strategic imperative face significant enforcement, litigation, and reputational risk.
CyberSilo recommends that public companies subject to the rules invest in a comprehensive compliance program that integrates incident response automation (via ThreatHawk SIEM + SOAR), cross-functional disclosure committee procedures, and annual governance disclosure updates. Our Compliance Standards Automation platform is specifically designed to help organizations build and sustain these capabilities, with pre-built workflows aligned to SEC requirements and automated materiality assessment tools. Contact our team to schedule a compliance assessment and ensure your organization is prepared for the next incident.
Ready to Strengthen Your SEC Cybersecurity Disclosure Compliance?
Schedule a free, no-obligation consultation with our SEC compliance specialists.
