SEC Cybersecurity Disclosure Rule: What's Material, How to File, and Lessons from Early Enforcement

TL;DR:

• The SEC’s cybersecurity incident disclosure rule has been in effect since September 2023. Material incidents require a Form 8-K Item 1.05 filing within four business days of the materiality determination.
• In December 2024, the SEC settled with Flagstar Bank after it filed an 8-K claiming “no evidence of unauthorized access” — the day after learning attackers had exfiltrated customer SSNs and account information.
• October 2024 brought four more enforcement actions — Unisys, Avaya, Check Point ($995K), and Mimecast ($990K) — all stemming from misleading cybersecurity disclosures around the SolarWinds compromise.
• The materiality determination process needs to be cross-functional, documented in real time, and consistent. If your legal team is making the call alone three weeks after your security team knew the scope, that’s a process failure.

Flagstar Bank filed a Form 8-K on January 25, 2021 stating that it had “no evidence of unauthorized access to customer information.” The day before filing, the company had learned that attackers exfiltrated sensitive customer data — names, addresses, Social Security numbers, and account information. In December 2024, the SEC settled enforcement charges with Flagstar over that disclosure.

This is the version of the SEC cybersecurity disclosure rule that practitioners need to understand. Not the rule’s text. The enforcement pattern. What’s getting companies in trouble isn’t filing too late — it’s filing something that doesn’t reflect what the company actually knew.

What the Rule Actually Requires

The SEC adopted its cybersecurity disclosure rules on July 26, 2023. The rules became effective for large accelerated filers in December 2023. There are two distinct disclosure obligations:

Incident disclosure (Form 8-K Item 1.05): If a cybersecurity incident is determined to be material, the company must file within four business days of that determination. The disclosure must describe the material aspects of the incident’s nature, scope, and timing, and the material impact or reasonably likely material impact on the registrant.

Annual disclosure (Form 10-K): Every year, companies must describe their cybersecurity risk management processes, board oversight of cyber risk, and management’s role in assessing and managing material cybersecurity risks.

A third category emerged through May 2024 SEC staff guidance: voluntary non-material disclosure under Form 8-K Item 8.01. Companies were over-filing under Item 1.05, disclosing incidents that didn’t meet the materiality threshold. SEC Division of Corporation Finance Director Erik Gerding clarified that Item 1.05 should be reserved for material incidents — using it for non-material incidents creates ambiguity and potentially misleads investors about the significance of the event.

The Four-Business-Day Clock: When Does It Start?

This is the question every legal and compliance team is wrestling with, and the answer isn’t “four days after discovery.”

The clock starts when the company determines that an incident is material. The determination must happen without unreasonable delay after discovery. The SEC’s rule explicitly doesn’t allow companies to sit on an incident, delay the materiality assessment, and then claim the clock hasn’t started.

In practice, this means the sequence matters:

1. Security team discovers or is notified of an incident
2. Initial triage and scope assessment begins — is this a confirmed breach? What systems and data are involved?
3. Escalation to disclosure committee / cross-functional response team
4. Materiality assessment: quantitative + qualitative factors evaluated, documented
5. If material → Form 8-K Item 1.05 within four business days of step 4

The gap between discovery and determination is where companies create risk. An investigation that takes three weeks before anyone evaluates materiality may be defensible if the scope wasn’t clear. One where the security team knew the scope in 72 hours and legal didn’t evaluate materiality for two weeks is harder to defend.

Materiality: Both Quantitative and Qualitative

The Supreme Court’s definition of materiality — “substantial likelihood that a reasonable investor would consider it important” — applies. What the SEC cybersecurity rules add is specific guidance on the qualitative factors that matter in a cyber context.

The SEC identifies five qualitative dimensions companies should evaluate:

An incident doesn’t have to be financially large to be material. An attack that exposed 1,000 customer records may be immaterial at a large bank. The same attack at a small fintech with 5,000 customers and a bank partner asking about data security could be highly material to investor decision-making.

The cross-functional nature of this assessment is the point. Security teams know what happened technically. Finance knows the dollar exposure. Legal understands the regulatory and litigation landscape. Disclosure committees exist specifically because no single function has complete visibility into all six dimensions.

Enforcement Actions: What Actually Went Wrong

Flagstar Bank: The “No Evidence” Problem

The Flagstar case is the clearest illustration of what the SEC is looking for. The settlement involved a 2021 incident — before the current disclosure rule — but the SEC brought charges under the general prohibition on materially misleading disclosures.

Flagstar’s 8-K stated: “no evidence of unauthorized access to customer information.” The company knew, at the time of filing, that attackers had exfiltrated customer names, addresses, Social Security numbers, and account information. The statement wasn’t a preliminary assessment that turned out to be wrong. It was a characterization of the incident that directly contradicted information the company possessed.

The lesson for disclosure teams: the question isn’t whether you have complete certainty about incident scope. You won’t. The question is whether your disclosure accurately reflects what you know at the time of filing — and flags what remains under investigation.

Avaya, Check Point, Mimecast, Unisys: SolarWinds Follow-On

In October 2024, the SEC charged four companies with making materially misleading disclosures related to the SolarWinds Orion compromise and related threat activity. All four were SolarWinds customers affected by the December 2020 nation-state supply chain attack.

The disclosure failures varied by company but shared a pattern: incident disclosures that minimized the actual scope of attacker access.

Avaya disclosed that a limited number of emails had been accessed. The SEC found the company improperly omitted that the threat actor (attributed to a nation-state) had unmonitored access to Avaya’s systems for an extended period, accessed at least 145 shared files — some containing confidential or proprietary information — and that the compromised mailbox belonged to a member of Avaya’s own cybersecurity team.

Check Point and Mimecast received civil penalties of $995,000 and $990,000 respectively. The charges related to disclosures that described the incidents in terms that the SEC found inconsistent with the companies’ internal knowledge of the threat actor’s access and impact.

R.R. Donnelley & Sons: Internal Controls Failure

In July 2024, RR Donnelley agreed to pay $2.1 million related to a 2021 cyberattack. The SEC’s charges focused not just on disclosure content, but on failures in disclosure controls and internal controls over financial reporting. The company’s incident response process didn’t adequately escalate cybersecurity information to personnel responsible for SEC filings — a structural gap, not just a disclosure error.

Building a Defensible Materiality Determination Process

Given the enforcement pattern, here’s what a defensible process looks like:

Cross-functional team with defined roles. Materiality isn’t a legal determination alone. Your incident materiality process needs security/IT (scope of compromise), finance (quantitative impact), and legal/disclosure counsel (securities law application) in the room at the same time. Document who participated and when.

Pre-defined escalation thresholds. Don’t wait for ambiguity. Establish criteria that automatically trigger a materiality assessment: any confirmed exfiltration of customer PII, any ransomware deployment affecting production systems, any third-party vendor breach affecting your systems. This gets the right people engaged before anyone has time to minimize the situation.

Contemporaneous documentation. This is the enforcement lesson. Document what you knew at each point in the investigation timeline — not what you knew when the 8-K was filed. If the scope expands after initial disclosure, file an amended 8-K. Don’t try to make early disclosures look complete in retrospect.

Aggregation monitoring. A series of low-level incidents may be individually immaterial but collectively material. The SEC’s guidance specifically calls out the need to monitor whether related occurrences may cross the materiality threshold collectively. Your process should track related events.

Delay exception documentation. If law enforcement has requested a filing delay because disclosure would hinder an active investigation, document that request and the basis for your decision to seek and receive it. The delay exception exists but is narrow — it doesn’t cover business concerns or incomplete investigation.

What Your 10-K Cybersecurity Disclosures Should Actually Say

The annual Form 10-K disclosures are where many companies are underperforming. Boilerplate language about cybersecurity risk — “we face cybersecurity threats that could materially harm our business” — doesn’t meet the standard for a meaningful disclosure of risk management processes.

The 10-K cybersecurity section needs to describe:

• Risk identification and assessment: How does the company identify and assess material cybersecurity risks? Who is responsible?
• Processes and frameworks: What frameworks (NIST CSF, ISO 27001, CIS Controls) does the company apply?
• Third-party risk: How does the company oversee cybersecurity risk from third-party vendors and service providers?
• Board oversight: What is the board’s or board committee’s role in overseeing cybersecurity risk?
• Management expertise and role: Does management or the disclosure committee include cybersecurity expertise? Who assesses and manages cybersecurity risk day-to-day?

Greenberg Traurig’s 2025 SEC cybersecurity disclosure trend analysis found that disclosure quality varies significantly across registrants. Companies with the most defensible disclosures treat the 10-K section as a genuine description of how cybersecurity risk is managed — not a litigation disclaimer.

So What?

The SEC cybersecurity disclosure rule has been in force long enough now that “we didn’t know what was required” isn’t an explanation regulators will accept. The enforcement actions make the expectations clear: disclose what you know, don’t minimize scope, and build a process that gets the right information to your disclosure team without unreasonable delay.

The harder lesson from the enforcement pattern is that the problem isn’t usually ignorance of the rule. It’s organizational friction — security teams that don’t escalate promptly, disclosure processes that route through too many layers before anyone asks “is this material?”, and incident characterizations that get softened between the security team and the final 8-K.

Fixing that requires more than a policy. It requires a defined process, trained teams, and a culture where accurate disclosure is treated as an operational priority rather than a reputational risk to be managed.

If you’re building or updating your incident response program to meet SEC disclosure requirements, the Incident Response & Breach Notification Kit includes incident classification frameworks, notification decision trees, regulatory reporting timelines, and documentation templates designed for the speed and rigor the rule demands.

For the intersection of cybersecurity and business continuity planning, see Cyber Resilience and Business Continuity: Building a Unified Response Framework. For a baseline incident response planning framework, Incident Response Plan Template: What Every Fintech Needs covers the NIST phases, escalation tiers, and documentation requirements. And if AI systems are in scope for your incident response program, AI Incident Response Plan: Model Failure Playbook covers the specific failure modes and notification considerations for AI-related incidents.

Sources:

• SEC: Charges Four Companies With Misleading Cyber Disclosures (October 2024)
• SEC: Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (July 2023)
• SEC Director Gerding: Disclosure of Cybersecurity Incidents Determined To Be Material (May 2024)
• Greenberg Traurig: SEC Cybersecurity Disclosure Trends — 2025 Update
• Known Trends: First Year of Form 8-K Cybersecurity Incident Filings