Key Takeaways
- The SEC rule requires public companies to file a Form 8-K under Item 1.05 within four business days of determining a cybersecurity incident is material. The clock starts at the materiality determination, not at discovery.
- Materiality is not defined by a dollar amount alone. An incident is material if a reasonable investor would consider it important when making an investment or voting decision. That includes operational shutdowns, reputational harm, and theft of trade secrets.
- The materiality determination itself must happen without unreasonable delay after discovery. Companies cannot sit on an incident to avoid starting the clock.
- Board oversight of cybersecurity is now a required annual disclosure in Form 10-K. This is no longer an optional governance conversation.
- Companies that wait for a breach to figure out their process will miss the window. The response playbook, escalation chain, and communication channels need to exist before any incident occurs.
What the SEC Rule Actually Requires
When the SEC adopted its cybersecurity disclosure rule in July 2023, it changed the compliance calculus for every public company in the United States. The rule has two parts that matter for this conversation.
- First, any material cybersecurity incident must be disclosed on Form 8-K under Item 1.05 within four business days of the company determining that the incident is material. Not four days from discovery. Four days from the materiality call.
- Second, annual Form 10-K filings must now include disclosure on the company’s cybersecurity risk management strategy and board oversight of cyber risk. Both requirements are fully operational. Smaller reporting companies came under the 8-K requirement in June 2024. There is no longer a grace period for any public registrant.
The practical implication is that companies can no longer treat cyber incident response as purely an IT or security operations problem. The moment a breach crosses the materiality threshold, it becomes a securities law issue with a very short clock.
The Materiality Question Is Where Most Companies Get Stuck
Before the four-day window opens, someone has to make the materiality call. That determination has to happen without unreasonable delay. Companies that take weeks to assess whether an incident is material before filing are exposed to SEC scrutiny even before they file anything.
How the SEC Defines Material
The SEC applies the same materiality standard used across federal securities law: an incident is material if there is substantial likelihood that a reasonable investor would consider it important in making an investment decision. Critically, that is not limited to financial loss. An incident that shuts down operations, exposes customer records, leaks trade secrets, or damages the company’s market position can all qualify. The SEC has also clarified that both quantitative and qualitative factors must be considered.
An important distinction from the 2024 guidance: companies were initially filing under Item 1.05 for incidents they had already determined were not material, apparently out of caution. The SEC pushed back on this. Item 1.05 is for material incidents only. Immaterial incidents can be disclosed voluntarily under Item 8.01, but they are subject to different content requirements and cannot be treated as substitutes.
Who Makes the Call and How Fast
The materiality determination requires input from legal, finance, security, and executive leadership. That is not a meeting you can schedule without a pre-existing process. If the first time your CISO, general counsel, and CFO are in the same room discussing the incident is after it has already happened, the process is already behind.
Most organizations that have struggled with this rule are not struggling because the incident was ambiguous. They are struggling because the internal decision-making process was never designed to move fast enough. Materiality assessments that would take two weeks in a normal governance cycle need to happen in hours.
Building the Response Process Your Board Needs to See
The board has a direct stake in this. Annual 10-K disclosures now require companies to describe board oversight of cybersecurity risks. That means the board needs to be part of the incident response chain, not just a recipient of the post-incident report.
Define Your Crown Jewels Before an Incident
Materiality is easier to assess when you already know which assets and data types matter most to your operations and your investors. Map your critical systems, your most sensitive data, and the business processes that depend on them before a breach occurs. When an incident happens, the question of whether it affected anything material becomes answerable quickly because the map already exists.
Write the Escalation Chain Now
The response process needs a documented escalation path from initial detection to materiality determination to board notification to legal filing. Every step needs a named owner and a time expectation. Who receives the initial incident alert? Who makes the call to escalate to legal? Who convenes the materiality assessment? Who notifies the board? Who drafts the 8-K? Who approves it? These questions need answers before the incident, not during it.
Secure Your Communication Channels
A detail that gets overlooked in breach planning: corporate email and Slack may be compromised during an active incident. Filing a Form 8-K while the attackers are still in your network, using communication tools they may be reading, is a real risk. Incident response communications with the board and legal counsel should use a separate, isolated channel that is established and tested before an incident. This is not paranoia. It is basic operational security for high-stakes communications.
Pre-Write Your Templates
The four-day window does not leave time for drafting from scratch. Legal and communications teams should prepare template language for Form 8-K Item 1.05 filings before any incident occurs. Templates that cover the required content: nature of the incident, scope, timing, and material or reasonably likely material impact. The templates get tailored to the specific incident facts. The structure and the legal framing should already exist.
Run a Tabletop Exercise
The response process is only as good as the team’s ability to execute it under pressure. A tabletop exercise that simulates a material breach, runs the team through the materiality assessment, tests the escalation chain, and produces a draft 8-K filing is the best way to find gaps before they matter. Most companies that run these exercises discover at least one gap in their escalation path that would have caused them to miss the window.
How Secure.com Supports SEC Disclosure Readiness
Getting to a four-day disclosure requires evidence, not just process. Secure.com’s Compliance Teammate gives security and compliance teams the incident data, documentation, and audit-ready records they need to support a fast materiality determination and a clean filing.
Secure.com supports SEC disclosure readiness by:
- Maintaining continuous incident detection and case management so that the timeline of discovery, scope, and affected assets is documented in real time rather than reconstructed after the fact.
- Generating audit-ready evidence of your cybersecurity risk management program, which directly supports the annual Form 10-K disclosure requirements on governance and risk management strategy.
- Providing board-level dashboards that give leadership a current view of security posture, making the board oversight disclosure a reflection of an actual ongoing process rather than a compliance exercise.
- Logging all remediation actions, escalation events, and response timelines automatically, giving legal and GC teams the incident documentation needed to support the 8-K filing without a manual evidence scramble.
- Supporting materiality scoping by mapping affected assets to business criticality designations defined in advance, so the materiality assessment can move at the speed the rule requires.
