Compliance Published: April 14, 2026 9 min read

SEC 4-Day Disclosure: What Your Team Needs Ready

The SEC 4-day cybersecurity disclosure rule has teeth. Here is what your security team needs ready before an incident forces the question.

By Secure.com

Key Takeaways

  • The four-day clock starts at materiality determination, not incident discovery. If your team has never defined what materiality means or who decides it, you will spend those four days figuring that out instead of filing.
  • The SEC is actively reviewing Form 8-K filings and sending comment letters when language is vague or inconsistent with what actually happened. Minimizing a disclosure creates a second liability.
  • Enforcement from 2024 was specific: companies were sanctioned for poor escalation procedures, inaccurate filings, and disclosure controls that did not reach decision-makers in time. These are process failures, not just technical ones.
  • Your Form 10-K requires annual disclosure of your cybersecurity governance and risk management processes. Those disclosures need to reflect a real, documented program, not a summary written before the filing deadline.
  • The companies that handle disclosure well are not the ones with the best legal team on speed dial. They are the ones that built the audit trail, the materiality process, and the cross-functional alignment before they needed it.

Your CISO Needs to Read This Before Your Next Cybersecurity Incident

Flagstar Bank filed a Form 8-K stating it had no evidence of unauthorized customer data access. One day earlier, the company had already confirmed attackers had taken names, addresses, Social Security numbers, and account information. The SEC settled with Flagstar in December 2024 for filing a misleading Form 8-K. The lesson is not that the breach was bad. The lesson is that the disclosure made it worse.

The SEC rule is live, enforcement is real, and your team is either ready or it is not.

What the SEC Rule Actually Requires

The SEC implemented new rules effective December 18, 2023, requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days. That sounds straightforward. It is not.

The Clock Does Not Start at Discovery

This is the part most teams miss. The four-day deadline is triggered when the company first determines that the incident may have a material impact, not within four days of discovering it. Before the clock starts, your team must complete a materiality assessment. That assessment requires legal, finance, and security to agree on a conclusion, in writing, under pressure. If those teams have never worked through this process together before, four business days will not be enough.

What Has to Be in the Filing

The Form 8-K must describe the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations. Vague language is not safe. The SEC has issued comment letters to companies that filed under Item 1.05 while stating the incident had no material impact, asking them to explain why they filed under that item at all. Filing under the wrong item creates its own follow-on problem.

The Annual Form 10-K Obligation

The disclosure requirement does not end with incident filings. Companies must also include periodic disclosures in annual Form 10-K reports about their cybersecurity practices, including risk assessments, third-party risks, and governance structures. Your program needs to be documented year-round. Assembling it before an annual filing, or after a breach, is too late.

Where Most Teams Are Not Ready

Knowing the rule and having a process that can survive it are two different things. The enforcement record from 2024 is specific about where companies failed.

No Clear Materiality Framework

Materiality is a legal and financial concept. It is not something most security teams practice applying under pressure. Cybersecurity materiality assessments demand coordination among legal, finance, and technical leadership to reach a defensible conclusion. If those three groups have never walked through a mock scenario together, the first time they work through it together will be during a real breach, with regulators watching the clock.

No Audit Trail That Can Support a Filing

Filing an accurate Form 8-K means knowing exactly what happened, when it happened, what systems were touched, and what the likely business impact is. The SEC sanctioned R.R. Donnelley and Sons, which agreed to pay $2.1 million to resolve an investigation, partly because the company failed to maintain cybersecurity procedures designed to escalate relevant security alerts to management and disclosure decision-makers in a timely manner. The problem was not that the breach happened. It was that the company could not show what it knew and when it knew it.

Disclosure Language That Creates New Risk

The SEC found that one company negligently made materially misleading misstatements in its Form 8-K by failing to disclose the nature of the code that the attacker exfiltrated and the quantity of encrypted credentials accessed. Minimizing language in a disclosure is not a safe strategy. It is a separate liability.

Real Companies That Learned This the Hard Way

These are not hypothetical scenarios. Here is what the first wave of filings looked like:

  • UnitedHealth Group disclosed the Change Healthcare breach under Item 1.05 in February 2024, with multiple amended Form 8-K filings as the scope of the incident evolved.
  • Flagstar Bank settled with the SEC in December 2024 after filing an inaccurate current report that understated what attackers had actually accessed.
  • R.R. Donnelley and Sons paid $2.1 million over disclosure controls failures tied to a 2021 cyberattack, including inadequate escalation procedures to notify disclosure decision-makers.
  • Intercontinental Exchange, parent company of the New York Stock Exchange, agreed to pay a $10 million penalty related to cybersecurity disclosure failures.

The pattern across all of these cases is the same. The breach happened. The disclosure process failed.

The Four Things Your Team Needs Ready Before an Incident

This is not a compliance checklist for its own sake. These are the four specific gaps that turn a manageable incident into a regulatory problem.

A Materiality Decision Process With Named Owners

Write down who makes the materiality call. Name the people, not just the roles. Define what information they need, where it comes from, and how long the review process should take. Get legal and finance to sign off on the framework before an incident, not during one.

A Complete, Continuous Incident Log

Every action taken during an incident response needs to be automatically captured with a timestamp and a clear rationale. Not assembled after the fact from Slack messages and calendar invites. A real-time, tamper-resistant record that your legal team can review before the Form 8-K goes out. If you cannot reconstruct a clean timeline within hours of an incident being contained, your disclosure will show it.

Pre-Reviewed Disclosure Language

Draft Form 8-K language with your legal counsel before a real incident requires it. Agree on what the company is willing to say publicly about the nature of a breach, the scope of data exposure, and the likely financial impact. Reviewing that language for the first time while an incident is unfolding guarantees mistakes.

Run a tabletop exercise that treats the disclosure process as the output, not just incident containment. Walk through a scenario where a material breach is confirmed at 5pm on a Friday. Ask every team how fast they can produce what the Form 8-K requires. The gaps that surface are exactly the ones that will hurt you for real.

How Secure.com Keeps Your Team Ready Year-Round

SEC disclosure readiness is not a fire drill you run once a year. It is a continuous posture. Secure.com’s Compliance Teammate keeps the evidence current so that when an incident happens, the documentation is already in place.

Most teams scramble after a breach to build the paper trail the SEC expects. Secure.com builds it automatically as part of how your security operations run every day.

  • Automatically captures a timestamped audit trail for every incident action, every alert decision, and every remediation step, with no manual logging required
  • Maps security events to business context so your materiality conversation starts with facts, not guesswork
  • Maintains continuous documentation of your risk management processes and governance structure, so your Form 10-K disclosures reflect current reality
  • Generates compliance reports in minutes with evidence already attached, not assembled under deadline pressure
  • Flags escalation-worthy events in real time so disclosure decision-makers are notified without depending on manual escalation procedures

Conclusion

Four business days looks manageable until you are inside one. The companies that got it wrong in 2024 were not careless. They were unprepared. They did not have a materiality process. Their logs were fragmented. Their disclosure language had not been reviewed. Their legal and finance teams had never practiced alongside the security team in a real breach scenario. None of that is hard to fix. It just has to be done before the incident, not during it.

FAQs

Does the four-day rule apply to every cybersecurity incident a public company experiences?

No. It applies only to incidents that are determined to be material under federal securities law. Many companies are disclosing non-material incidents under Item 8.01 of Form 8-K while reserving Item 1.05 for incidents that meet the materiality threshold. Filing under the wrong item can itself draw SEC scrutiny.

What exactly does “material” mean for a cybersecurity incident?

It follows standard securities law. An incident is material if a reasonable investor would consider it important when making an investment decision. Both financial impact and qualitative factors count, including reputational harm, regulatory exposure, and operational disruption. That is why legal, finance, and security all need to be part of the determination.

What happens if the company does not have all required information within four business days?

If required information is not determined or unavailable at the time of filing, the Form 8-K must say so explicitly. The company must then file an amended Form 8-K when the information becomes available. This is an obligation to update, not permission to delay the initial filing.

Can the disclosure timeline be extended?

Yes, but only in a narrow case. The disclosure can be delayed if the U.S. Attorney General determines that immediate disclosure could pose a substantial risk to national security or public safety. This does not apply to ordinary commercial incidents. Most companies cannot rely on this exception.

Does the SEC expect companies to disclose third-party vendor breaches under Item 1.05?

Several companies affected by the CDK Global outage filed under Item 8.01 while assessing whether the incident was material to their own operations. The key question is impact on your company, not whether the breach originated with a third party. If the operational or financial impact is material to you, the disclosure obligation applies to you.

Related Blogs