Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature Regulatory Compliance

SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps

The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.

By Rebecca Leung · July 5, 2026 ·
Table of Contents

TL;DR

  • The SEC’s Item 1.05 Form 8-K rule has been in effect since December 2023 — and 2.5 years of filings and enforcement actions reveal a consistent failure pattern: companies lack a documented, contemporaneous materiality decision process
  • Between December 2023 and early 2025, 54 companies filed 80 cyber-related Form 8-Ks, but only 26 used the material incident provision — the rest filed voluntarily, revealing widespread uncertainty about what “material” actually means
  • The SEC settled enforcement actions against four companies in October 2024 and launched the Cyber and Emerging Technologies Unit (CETU) in February 2025 with specific focus on fraudulent cyber disclosures
  • The 4-business-day clock starts when you determine materiality — not when the incident happens; your incident response program must include a structured materiality decision workflow, not just a technical response playbook

Two and a half years ago, the SEC cybersecurity disclosure rule felt like a future compliance project. Then December 2023 arrived, large accelerated filers had to start disclosing material cyber incidents on Form 8-K within four business days, and every CISO’s Monday morning acquired a new item.

The enforcement picture is sharper now. In October 2024, the SEC settled enforcement actions against four companies for cybersecurity disclosure failures, totaling over $8 million in penalties. Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents — but only 26 used the material incident provision, Item 1.05. The remainder filed voluntarily under Item 8.01, revealing widespread institutional uncertainty about what “material” means in practice.

That uncertainty is the real compliance problem. And 2.5 years in, the gap between companies that have built a documented materiality decision process and companies still making judgment calls under pressure is growing — as is the SEC’s ability to evaluate both.


The Rule in Plain English

Item 1.05 of Form 8-K requires registrants to disclose a cybersecurity incident within four business days from the date they determine the incident is material.

Three things embedded in that sentence matter:

The clock starts at determination, not discovery. The SEC requires that the materiality determination be made “without unreasonable delay” after discovering an incident. The four-day filing clock starts from the determination. A company that takes ten days to reach a materiality conclusion when the evidence was available on day two may face scrutiny not just on the filing timeline, but on the determination process itself. What counts as “unreasonable delay” in the determination phase is still developing in enforcement guidance — but the clear signal is that the two clocks (discovery to determination, determination to filing) are both being watched.

“Material” follows securities-law standards. An incident is material if there is a “substantial likelihood that a reasonable investor would consider it important.” Both quantitative factors (financial impact, remediation cost) and qualitative factors (operational disruption, data exposure, customer impact, regulatory consequences, reputational damage, litigation probability) are relevant. The SEC has made clear that companies were over-filing immaterial incidents under Item 1.05; the standard requires genuine business significance.

The initial 8-K doesn’t need to be complete. When national security or law enforcement considerations would make disclosure harmful, the SEC provides for limited delay. More practically, companies can file with the information available at day four and supplement with an amended 8-K as facts develop. The initial disclosure describes the incident’s nature, the date of discovery, and the material aspects known at filing — it doesn’t require quantified damages not yet known. This is important context for companies facing fast-moving incidents: the obligation is timely disclosure of known material facts, not waiting until the full scope is mapped.

Annual disclosures under Item 106 of Regulation S-K — the 10-K requirement — address your cybersecurity governance program, separate from incident-specific events. Item 106 requires a description of your risk management processes, board oversight, and management role. It’s the governance narrative; Item 1.05 is the event reporting.


What Year One of Enforcement Actually Revealed

The SEC’s October 2024 enforcement actions against four companies provided the clearest signal yet about what disclosure failures look like in practice.

One company received findings for “negligently making materially misleading misstatements” in a Form 8-K — the disclosure described the incident but mischaracterized its scope and impact in ways material to investors. The issue wasn’t non-disclosure; it was inaccuracy in what was disclosed.

More broadly, the year-one data showed three consistent patterns:

Immaterial incidents over-disclosed under Item 1.05. Companies hedged, filing Item 1.05 disclosures for incidents the SEC staff viewed as not meeting the materiality threshold. The SEC has signaled that Item 1.05 is for material events — companies should use Item 8.01 for incidents they’re disclosing voluntarily but don’t believe are material. Over-filing under Item 1.05 signals to markets (and the SEC) that you may not have a clear materiality determination process.

Thin materiality documentation. The contemporaneous record of how the materiality determination was made — the documented analysis, who participated, what factors were evaluated, what the conclusion was — was often absent or underdeveloped. When SEC staff reviewed disclosures, many companies couldn’t produce the documentation showing how they reached their conclusion. The analysis existed as a conversation, not a record.

Third-party incident delays. When incidents originated at a vendor or service provider, companies regularly struggled to meet the four-day clock because they were dependent on the vendor’s notification and investigation timeline. Several disclosures were delayed with explanations that the company was still gathering information from its service provider — a structural exposure that vendor contracts need to address before incidents happen, not during them.


The Materiality Problem — Building Your Decision Protocol

The central compliance challenge of the SEC cyber rule isn’t the four-day clock once materiality is determined. It’s making a well-documented materiality determination before the clock runs out.

A documented materiality decision protocol should include:

Step 1 — Incident notification and triage (Day 0 to 1): Define who is notified within what timeframe when a potential cyber incident is identified. The escalation path for potential material incidents should reach legal, the CISO, and the CEO or CFO within hours. The disclosure committee or audit committee chair should be notified before the materiality assessment is complete, not after. Define the threshold for activating the formal materiality assessment process — not every security event triggers it, but the trigger should be documented in advance, not decided ad hoc.

Step 2 — Materiality assessment (Days 1 to 3): Define who conducts the analysis — typically general counsel coordinating input from the CISO, CFO, and relevant business leads. Use a consistent decision framework across each assessment. The factors should include:

FactorQuestions to Address
Financial impactQuantifiable losses, remediation cost estimate, insurance coverage, ransom payment (if any)
Operational disruptionSystems affected, business processes impaired, estimated duration
Data exposureData types, estimated volume, customer notification obligations triggered
Regulatory exposureSector-specific breach notification requirements, GLBA/HIPAA/state law obligations, potential regulatory action
Reputational riskCustomer impact, media probability, contractual breach likelihood
Litigation riskClass action probability, regulatory action probability

Document the analysis in writing as it happens. A post-hoc reconstruction of the analysis is not the same as a contemporaneous record — and in an SEC enforcement context, the difference matters.

Step 3 — Board notification and disclosure decision (Day 3 to 4): Material determinations should be escalated to the disclosure committee (or audit committee chair if there’s no disclosure committee) before the 8-K is filed. The board’s role in cybersecurity oversight is what you described in your last 10-K under Item 106 — that description needs to be consistent with what the board actually does during a material incident.

Step 4 — Filing and ongoing disclosure management: File the initial 8-K with available information. Assign a disclosure coordinator to manage supplemental amendments, law enforcement coordination if the national security carveout is invoked, and coordination with the annual 10-K update on material incidents. The 8-K is often the beginning of a multi-month disclosure management process, not a single filing.


The Third-Party Incident Problem

Most significant cyber incidents in 2026 don’t originate in the affected company’s infrastructure. They arrive through a vendor, a service provider, or a software dependency. This creates a structural problem for four-day disclosure: your materiality clock depends on information you don’t control.

If your payment processor tells you about a breach affecting your customer data on Day 0 but can’t confirm how many records were exposed until Day 8, you cannot complete the materiality analysis without the key facts. The SEC’s practical guidance — file with available information, amend as facts develop — is reasonable, but “available information” requires that your vendor notification protocols are producing useful data on a useful timeline.

What your vendor contracts need to include for SEC disclosure readiness:

Mandatory notification windows: Require vendors to notify you of potential security incidents affecting your data or systems within 24–48 hours of their own detection — not when they’ve completed their investigation. If your vendor’s standard contract gives them 72 hours or five days to notify you, your four-business-day clock is already compressed before you know the incident exists.

Materiality clock trigger provision: Specify contractually that your SEC four-business-day regulatory clock begins running from the moment the vendor confirms an incident affecting your data — not from when they close their investigation or issue a final incident report.

Initial notification content requirements: Define what information must be included in the initial vendor notification: incident nature, systems and data types potentially affected, estimated exposure scope, the vendor’s assessment of whether customer data was involved. A “we had an incident, we’ll let you know more later” notification doesn’t support a materiality determination.

The supply chain cyber incident response framework addresses how to structure third-party incident coordination more broadly. See how to build a supply chain cyber incident response program for financial institutions for the full third-party coordination structure, including contractual provisions and regulatory notification coordination when multiple parties are involved.


What CETU Means for 2026 Enforcement

The SEC’s Cyber and Emerging Technologies Unit launched in February 2025 with explicit focus on fraudulent cybersecurity disclosures — specifically cases where companies knowingly misrepresented their incident posture or understated known threats to investors. This is a shift from technical compliance enforcement (you filed three days late) to securities fraud enforcement (you misled investors about your cybersecurity risk).

CETU’s stated priorities include:

  • Fraudulent disclosure about cybersecurity incidents — knowingly understating scope, concealing known data exfiltration, or misrepresenting likelihood of recurrence
  • Misrepresentation of cybersecurity risk management capabilities in annual 10-K disclosures — claiming governance processes that don’t exist in practice
  • Insider trading around cyber incident disclosure — trading while in possession of material nonpublic information about an incident before the 8-K is filed

For public financial institutions and fintech companies with registered securities, this is no longer an abstract compliance obligation. It’s a fraud risk managed alongside your standard disclosure controls.

The connection to your incident response program is direct: the most effective defense against a CETU enforcement action is a documented, contemporaneous record showing that your materiality determination was made in good faith, by the right people, on the right timeline, using a consistent process — and that the 8-K accurately reflected what your company knew at the time of filing. A technically strong incident response without a documented disclosure decision process leaves the governance layer exposed.

Your incident response plan and breach notification procedures are the operational foundation for that record. The SEC cyber disclosure requirement is the reason both documents need to explicitly include a materiality assessment workflow — not just the technical response steps.


So What? What to Do This Week

Three concrete actions for incident response program owners and general counsels:

Map your materiality decision process with a tabletop. Run a scenario: your CISO reports a significant breach at 9 a.m. Who is in the room by noon? What questions drive the materiality analysis? Who makes the final call, and by when? If the answers are unclear or fragmented across multiple teams who don’t share a common process, you have the gap that year-one enforcement found. Document the process as an operational decision tree, not just an annual policy.

Audit your critical vendor notification SLAs. Pull the contracts for your five highest-risk vendors and find: (a) the incident notification timeline they’re contractually required to meet, (b) what information is required in the initial notification, (c) whether your four-business-day regulatory context appears anywhere. If vendors have 72-hour or five-day windows, you’re starting your clock from a position of structural delay. Contract renewals and vendor oversight reviews are the right time to close these gaps.

Add the SEC materiality workflow to your incident response runbook. The technical response steps — contain, investigate, eradicate, recover — and the disclosure steps — assess materiality, notify the board, file the 8-K — should be parallel tracks in the same runbook, not separate documents owned by separate teams that coordinate under pressure. The CISO and general counsel should both be referenced in the same incident response procedure.

The SEC cybersecurity disclosure rule is 2.5 years old. CETU has enforcement capabilities specifically focused on the quality and accuracy of what you disclose. And 80 publicly filed Form 8-Ks now provide the comparison set for what “reasonable” disclosure looks like. The companies that built their materiality protocols in 2024 are in a different position than those still building them today — but the gap is still closeable.


The SEC’s cybersecurity disclosure guidance and resources cover both Item 1.05 and Item 106 requirements. The Greenberg Traurig 2025 cybersecurity disclosure trends report covers the first-year filing patterns in detail. The Debevoise & Plimpton one-year review provides the 54-company, 80-disclosure data referenced in this post.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

When does the SEC's 4-business-day disclosure clock start?
The clock starts when your company determines the incident is material — not when the incident is discovered, not when the investigation closes. This distinction matters: the SEC requires that the materiality determination itself be made 'without unreasonable delay' following discovery. A company that takes two weeks to reach a materiality conclusion when the key facts were available on day three faces scrutiny not just on the filing timeline, but on the determination process itself.
What makes a cybersecurity incident material under the SEC rule?
Materiality follows the standard securities-law test: a 'substantial likelihood that a reasonable investor would consider it important.' Both quantitative factors (financial impact, remediation cost) and qualitative factors count — operational disruption, data exposure scope, customer impact, regulatory consequences, reputational risk, and litigation probability. The SEC has signaled that companies were over-filing under Item 1.05 for incidents that didn't rise to this standard; the bar requires genuine business significance that investors would need to make informed decisions.
Do we need to disclose ransomware payments in a Form 8-K?
Not automatically. Ransomware attacks that rise to the materiality threshold require 8-K disclosure under Item 1.05. The payment itself isn't separately disclosable unless the payment is independently material to your financial position. The materiality determination applies to the full scope of the incident — the attack, operational disruption, data exposure, and financial consequences — not the payment as a line item.
What's the annual 10-K cybersecurity disclosure requirement and how does it differ from 8-K?
Item 106 of Regulation S-K requires annual disclosures covering: (1) your processes for assessing, identifying, and managing material risks from cybersecurity threats; (2) whether cybersecurity risk is integrated into your overall risk management framework; (3) board oversight of cybersecurity risk; and (4) management's role in assessing and managing cybersecurity risk. This is your governance narrative — separate from incident-specific 8-K disclosures. The annual 10-K describes your program; the 8-K Item 1.05 reports material events within that program.
What is the SEC's Cyber and Emerging Technologies Unit (CETU) and what does it mean for enforcement?
CETU launched in February 2025, led by Laura D'Allaird. It focuses specifically on fraudulent cybersecurity disclosures — cases involving investor harm from misrepresentation, not just technical disclosure failures. CETU priorities include companies that knowingly understated incident scope, misrepresented their cybersecurity posture in 10-K disclosures, and insiders who traded on material nonpublic information about unreported incidents. The shift is from technical compliance enforcement to securities fraud enforcement.
Are private companies and non-reporting fintechs subject to the SEC cyber disclosure requirements?
No — Item 1.05 and Item 106 apply to SEC reporting companies with registered securities. Private companies and non-reporting fintechs face analogous requirements from other sources: state breach notification laws (30-day timelines in California, New York, and others), sector regulators (OCC, FDIC, FINRA, CFPB), the FTC Safeguards Rule notification requirement, and contractual obligations to bank partners. The 4-day SEC clock is specific to public companies; the underlying pressure to have a documented materiality decision process is not.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

Incident Response & Breach Notification Kit

Step-by-step incident response playbooks and breach notification templates for all 50 states.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.