Feature Regulatory Compliance
SEC Cyber Disclosure Rule: What 2.5 Years of Form 8-K Filings Reveal About Your Response Program Gaps
The SEC's 4-business-day cyber incident disclosure rule has 2.5 years of enforcement history. Here's what the filings and enforcement actions reveal about common materiality determination failures — and how to build a decision protocol that survives SEC scrutiny in 2026.
Table of Contents
TL;DR
- The SEC’s Item 1.05 Form 8-K rule has been in effect since December 2023 — and 2.5 years of filings and enforcement actions reveal a consistent failure pattern: companies lack a documented, contemporaneous materiality decision process
- Between December 2023 and early 2025, 54 companies filed 80 cyber-related Form 8-Ks, but only 26 used the material incident provision — the rest filed voluntarily, revealing widespread uncertainty about what “material” actually means
- The SEC settled enforcement actions against four companies in October 2024 and launched the Cyber and Emerging Technologies Unit (CETU) in February 2025 with specific focus on fraudulent cyber disclosures
- The 4-business-day clock starts when you determine materiality — not when the incident happens; your incident response program must include a structured materiality decision workflow, not just a technical response playbook
Two and a half years ago, the SEC cybersecurity disclosure rule felt like a future compliance project. Then December 2023 arrived, large accelerated filers had to start disclosing material cyber incidents on Form 8-K within four business days, and every CISO’s Monday morning acquired a new item.
The enforcement picture is sharper now. In October 2024, the SEC settled enforcement actions against four companies for cybersecurity disclosure failures, totaling over $8 million in penalties. Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents — but only 26 used the material incident provision, Item 1.05. The remainder filed voluntarily under Item 8.01, revealing widespread institutional uncertainty about what “material” means in practice.
That uncertainty is the real compliance problem. And 2.5 years in, the gap between companies that have built a documented materiality decision process and companies still making judgment calls under pressure is growing — as is the SEC’s ability to evaluate both.
The Rule in Plain English
Item 1.05 of Form 8-K requires registrants to disclose a cybersecurity incident within four business days from the date they determine the incident is material.
Three things embedded in that sentence matter:
The clock starts at determination, not discovery. The SEC requires that the materiality determination be made “without unreasonable delay” after discovering an incident. The four-day filing clock starts from the determination. A company that takes ten days to reach a materiality conclusion when the evidence was available on day two may face scrutiny not just on the filing timeline, but on the determination process itself. What counts as “unreasonable delay” in the determination phase is still developing in enforcement guidance — but the clear signal is that the two clocks (discovery to determination, determination to filing) are both being watched.
“Material” follows securities-law standards. An incident is material if there is a “substantial likelihood that a reasonable investor would consider it important.” Both quantitative factors (financial impact, remediation cost) and qualitative factors (operational disruption, data exposure, customer impact, regulatory consequences, reputational damage, litigation probability) are relevant. The SEC has made clear that companies were over-filing immaterial incidents under Item 1.05; the standard requires genuine business significance.
The initial 8-K doesn’t need to be complete. When national security or law enforcement considerations would make disclosure harmful, the SEC provides for limited delay. More practically, companies can file with the information available at day four and supplement with an amended 8-K as facts develop. The initial disclosure describes the incident’s nature, the date of discovery, and the material aspects known at filing — it doesn’t require quantified damages not yet known. This is important context for companies facing fast-moving incidents: the obligation is timely disclosure of known material facts, not waiting until the full scope is mapped.
Annual disclosures under Item 106 of Regulation S-K — the 10-K requirement — address your cybersecurity governance program, separate from incident-specific events. Item 106 requires a description of your risk management processes, board oversight, and management role. It’s the governance narrative; Item 1.05 is the event reporting.
What Year One of Enforcement Actually Revealed
The SEC’s October 2024 enforcement actions against four companies provided the clearest signal yet about what disclosure failures look like in practice.
One company received findings for “negligently making materially misleading misstatements” in a Form 8-K — the disclosure described the incident but mischaracterized its scope and impact in ways material to investors. The issue wasn’t non-disclosure; it was inaccuracy in what was disclosed.
More broadly, the year-one data showed three consistent patterns:
Immaterial incidents over-disclosed under Item 1.05. Companies hedged, filing Item 1.05 disclosures for incidents the SEC staff viewed as not meeting the materiality threshold. The SEC has signaled that Item 1.05 is for material events — companies should use Item 8.01 for incidents they’re disclosing voluntarily but don’t believe are material. Over-filing under Item 1.05 signals to markets (and the SEC) that you may not have a clear materiality determination process.
Thin materiality documentation. The contemporaneous record of how the materiality determination was made — the documented analysis, who participated, what factors were evaluated, what the conclusion was — was often absent or underdeveloped. When SEC staff reviewed disclosures, many companies couldn’t produce the documentation showing how they reached their conclusion. The analysis existed as a conversation, not a record.
Third-party incident delays. When incidents originated at a vendor or service provider, companies regularly struggled to meet the four-day clock because they were dependent on the vendor’s notification and investigation timeline. Several disclosures were delayed with explanations that the company was still gathering information from its service provider — a structural exposure that vendor contracts need to address before incidents happen, not during them.
The Materiality Problem — Building Your Decision Protocol
The central compliance challenge of the SEC cyber rule isn’t the four-day clock once materiality is determined. It’s making a well-documented materiality determination before the clock runs out.
A documented materiality decision protocol should include:
Step 1 — Incident notification and triage (Day 0 to 1): Define who is notified within what timeframe when a potential cyber incident is identified. The escalation path for potential material incidents should reach legal, the CISO, and the CEO or CFO within hours. The disclosure committee or audit committee chair should be notified before the materiality assessment is complete, not after. Define the threshold for activating the formal materiality assessment process — not every security event triggers it, but the trigger should be documented in advance, not decided ad hoc.
Step 2 — Materiality assessment (Days 1 to 3): Define who conducts the analysis — typically general counsel coordinating input from the CISO, CFO, and relevant business leads. Use a consistent decision framework across each assessment. The factors should include:
| Factor | Questions to Address |
|---|---|
| Financial impact | Quantifiable losses, remediation cost estimate, insurance coverage, ransom payment (if any) |
| Operational disruption | Systems affected, business processes impaired, estimated duration |
| Data exposure | Data types, estimated volume, customer notification obligations triggered |
| Regulatory exposure | Sector-specific breach notification requirements, GLBA/HIPAA/state law obligations, potential regulatory action |
| Reputational risk | Customer impact, media probability, contractual breach likelihood |
| Litigation risk | Class action probability, regulatory action probability |
Document the analysis in writing as it happens. A post-hoc reconstruction of the analysis is not the same as a contemporaneous record — and in an SEC enforcement context, the difference matters.
Step 3 — Board notification and disclosure decision (Day 3 to 4): Material determinations should be escalated to the disclosure committee (or audit committee chair if there’s no disclosure committee) before the 8-K is filed. The board’s role in cybersecurity oversight is what you described in your last 10-K under Item 106 — that description needs to be consistent with what the board actually does during a material incident.
Step 4 — Filing and ongoing disclosure management: File the initial 8-K with available information. Assign a disclosure coordinator to manage supplemental amendments, law enforcement coordination if the national security carveout is invoked, and coordination with the annual 10-K update on material incidents. The 8-K is often the beginning of a multi-month disclosure management process, not a single filing.
The Third-Party Incident Problem
Most significant cyber incidents in 2026 don’t originate in the affected company’s infrastructure. They arrive through a vendor, a service provider, or a software dependency. This creates a structural problem for four-day disclosure: your materiality clock depends on information you don’t control.
If your payment processor tells you about a breach affecting your customer data on Day 0 but can’t confirm how many records were exposed until Day 8, you cannot complete the materiality analysis without the key facts. The SEC’s practical guidance — file with available information, amend as facts develop — is reasonable, but “available information” requires that your vendor notification protocols are producing useful data on a useful timeline.
What your vendor contracts need to include for SEC disclosure readiness:
Mandatory notification windows: Require vendors to notify you of potential security incidents affecting your data or systems within 24–48 hours of their own detection — not when they’ve completed their investigation. If your vendor’s standard contract gives them 72 hours or five days to notify you, your four-business-day clock is already compressed before you know the incident exists.
Materiality clock trigger provision: Specify contractually that your SEC four-business-day regulatory clock begins running from the moment the vendor confirms an incident affecting your data — not from when they close their investigation or issue a final incident report.
Initial notification content requirements: Define what information must be included in the initial vendor notification: incident nature, systems and data types potentially affected, estimated exposure scope, the vendor’s assessment of whether customer data was involved. A “we had an incident, we’ll let you know more later” notification doesn’t support a materiality determination.
The supply chain cyber incident response framework addresses how to structure third-party incident coordination more broadly. See how to build a supply chain cyber incident response program for financial institutions for the full third-party coordination structure, including contractual provisions and regulatory notification coordination when multiple parties are involved.
What CETU Means for 2026 Enforcement
The SEC’s Cyber and Emerging Technologies Unit launched in February 2025 with explicit focus on fraudulent cybersecurity disclosures — specifically cases where companies knowingly misrepresented their incident posture or understated known threats to investors. This is a shift from technical compliance enforcement (you filed three days late) to securities fraud enforcement (you misled investors about your cybersecurity risk).
CETU’s stated priorities include:
- Fraudulent disclosure about cybersecurity incidents — knowingly understating scope, concealing known data exfiltration, or misrepresenting likelihood of recurrence
- Misrepresentation of cybersecurity risk management capabilities in annual 10-K disclosures — claiming governance processes that don’t exist in practice
- Insider trading around cyber incident disclosure — trading while in possession of material nonpublic information about an incident before the 8-K is filed
For public financial institutions and fintech companies with registered securities, this is no longer an abstract compliance obligation. It’s a fraud risk managed alongside your standard disclosure controls.
The connection to your incident response program is direct: the most effective defense against a CETU enforcement action is a documented, contemporaneous record showing that your materiality determination was made in good faith, by the right people, on the right timeline, using a consistent process — and that the 8-K accurately reflected what your company knew at the time of filing. A technically strong incident response without a documented disclosure decision process leaves the governance layer exposed.
Your incident response plan and breach notification procedures are the operational foundation for that record. The SEC cyber disclosure requirement is the reason both documents need to explicitly include a materiality assessment workflow — not just the technical response steps.
So What? What to Do This Week
Three concrete actions for incident response program owners and general counsels:
Map your materiality decision process with a tabletop. Run a scenario: your CISO reports a significant breach at 9 a.m. Who is in the room by noon? What questions drive the materiality analysis? Who makes the final call, and by when? If the answers are unclear or fragmented across multiple teams who don’t share a common process, you have the gap that year-one enforcement found. Document the process as an operational decision tree, not just an annual policy.
Audit your critical vendor notification SLAs. Pull the contracts for your five highest-risk vendors and find: (a) the incident notification timeline they’re contractually required to meet, (b) what information is required in the initial notification, (c) whether your four-business-day regulatory context appears anywhere. If vendors have 72-hour or five-day windows, you’re starting your clock from a position of structural delay. Contract renewals and vendor oversight reviews are the right time to close these gaps.
Add the SEC materiality workflow to your incident response runbook. The technical response steps — contain, investigate, eradicate, recover — and the disclosure steps — assess materiality, notify the board, file the 8-K — should be parallel tracks in the same runbook, not separate documents owned by separate teams that coordinate under pressure. The CISO and general counsel should both be referenced in the same incident response procedure.
The SEC cybersecurity disclosure rule is 2.5 years old. CETU has enforcement capabilities specifically focused on the quality and accuracy of what you disclose. And 80 publicly filed Form 8-Ks now provide the comparison set for what “reasonable” disclosure looks like. The companies that built their materiality protocols in 2024 are in a different position than those still building them today — but the gap is still closeable.
The SEC’s cybersecurity disclosure guidance and resources cover both Item 1.05 and Item 106 requirements. The Greenberg Traurig 2025 cybersecurity disclosure trends report covers the first-year filing patterns in detail. The Debevoise & Plimpton one-year review provides the 54-company, 80-disclosure data referenced in this post.
◆ Related template
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
When does the SEC's 4-business-day disclosure clock start?
What makes a cybersecurity incident material under the SEC rule?
Do we need to disclose ransomware payments in a Form 8-K?
What's the annual 10-K cybersecurity disclosure requirement and how does it differ from 8-K?
What is the SEC's Cyber and Emerging Technologies Unit (CETU) and what does it mean for enforcement?
Are private companies and non-reporting fintechs subject to the SEC cyber disclosure requirements?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
Incident Response & Breach Notification Kit
Step-by-step incident response playbooks and breach notification templates for all 50 states.
◆ Keep reading
Related posts.
Regulatory Compliance
The Fed's Payment Account Proposal: What Fintechs and Digital Asset Firms Need to Know Before the July 27 Comment Deadline
The Federal Reserve proposed a special-purpose Payment Account in May 2026, offering eligible fintechs direct access to Fedwire Funds and FedNow without a bank charter. The comment period closes July 27. Here's who qualifies, what compliance the Fed requires, and why your institution should care even if you're not applying yet.
Jul 7, 2026
Regulatory Compliance
GENIUS Act AML/CFT Compliance: Breaking Down the FinCEN and OFAC Rule That Drops July 18
The FinCEN/OFAC joint proposed rule for stablecoin issuers establishes a full BSA/AML compliance program requirement — SAR filing, CTR filing, CIP, CDD, and OFAC sanctions screening — with a technical wallet-blocking mandate that has no precedent in traditional financial services. Here's what Permitted Payment Stablecoin Issuers and their bank partners need to build.
Jul 4, 2026
Regulatory Compliance
15 Days Until the GENIUS Act Regulatory Deadline: What Stablecoin Issuers Need Before July 18
Six federal agencies must finalize GENIUS Act implementing regulations by July 18, 2026. Here's what the OCC capital floor, FinCEN CIP rules, and the compliance timeline mean for stablecoin issuers right now.
Jul 2, 2026