The breach call comes in at 11:47 PM on a Sunday. The CISO is on the line with the head of incident response, your outside counsel is dialing in, and someone in the war room is already asking the question that defines the next ninety-six hours: Is this material?
For public companies in the United States, that question is no longer a leisurely conversation between counsel and the audit committee. Since December 2023, the Securities and Exchange Commission has required registrants to file an Item 1.05 Form 8-K within four business days of determining that a cybersecurity incident is material. Miss the deadline, mischaracterize the incident, or over-disclose under the wrong item, and you can earn a comment letter, a Wells notice, or a securities class action that outlasts the breach itself.
This guide walks through how the rule actually works in 2026 — what triggers the four-business-day clock, how to make the materiality call without unreasonable delay, when the United States Attorney General can buy you time, what Regulation S-K Item 106 demands in your annual 10-K, and the costly mistakes the SEC's first two years of enforcement have made painfully clear.
What the Rule Actually Requires
The SEC's final rule, adopted in July 2023, has two big pieces. The first is incident reporting on Form 8-K. The second is annual disclosure of cybersecurity risk management, strategy, and governance on Form 10-K (or Form 20-F for foreign private issuers).
Item 1.05 of Form 8-K requires a registrant to disclose any cybersecurity incident it has determined to be material. The disclosure must describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant — including on the registrant's financial condition and results of operations. The 8-K is generally due within four business days after the materiality determination is made.
Item 106 of Regulation S-K requires registrants to describe in their annual report:
- Their processes for assessing, identifying, and managing material risks from cybersecurity threats
- Whether any risks from cybersecurity threats, including from prior incidents, have materially affected or are reasonably likely to materially affect them
- The board of directors' oversight of cybersecurity risks (including any responsible board committee)
- Management's role in assessing and managing material cybersecurity risks, including the relevant expertise of the personnel responsible
All registrants — including smaller reporting companies — must tag their cybersecurity disclosures in Inline XBRL for fiscal years ending on or after December 15, 2024.
These two pieces work together. The 10-K describes the program; the 8-K reports the events the program failed to prevent.
The Four-Business-Day Clock Does Not Start When You Discover the Incident
This is the single most misunderstood aspect of the rule. The clock does not start when your SOC alerts on suspicious activity, when you find the malware, when the attacker exfiltrates data, or even when you call your forensics firm. The clock starts when the company determines the incident is material.
That determination must be made "without unreasonable delay" after discovery. The SEC explicitly rejected a fixed timeframe for the materiality determination, recognizing that incident scope and impact often take days or weeks to clarify. But "without unreasonable delay" is also not a license to pause indefinitely while counsel negotiates.
Three practical implications follow:
- You must have a documented process for triaging incidents and escalating them to a materiality determination. If the SEC asks how you reached the determination, you should be able to point to a written incident response playbook, a defined committee that makes the call, and a record of when it met.
- Hiring forensics, calling the FBI, or paying a ransom does not pause the determination clock. The cessation or apparent cessation of the incident — including as a result of a ransomware payment — does not relieve the registrant of the requirement to make a materiality determination.
- You can talk to law enforcement before you decide. A public company may alert government actors at any point in incident response, including before determining materiality, so long as it does not unreasonably delay its internal processes for determining materiality.
What "Material" Means for a Cyber Incident
Materiality under the federal securities laws is the same standard the Supreme Court articulated decades ago in TSC Industries and Basic v. Levinson: information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would have significantly altered the total mix of information available.
The SEC declined to write a cyber-specific materiality test. Instead, registrants must apply the same framework they already apply to operational, financial, and legal risks. The factors that tend to push a cyber incident toward material include:
- Quantitative financial impact: projected lost revenue, remediation costs, ransom payments, regulatory fines, customer reimbursements, insurance recoveries net of self-insured retention, and write-offs of impaired assets
- Qualitative impact: reputation damage, loss of customer trust, harm to a business line, theft of trade secrets, exposure of regulated personal information, disruption to a critical operation, contractual breach exposure, and litigation risk
- Scope: number of customers, employees, or accounts affected; the geographies and regulatory regimes implicated; the duration of the disruption
- Sensitivity of the data: payment card data, protected health information, source code, M&A deal teams' inboxes
- Operational disruption: factory downtime, ERP outage, supply chain interruption, retail point-of-sale failure, claims processing delay
Critically, the rule requires assessing both actual impact and "reasonably likely" impact. A breach where the immediate financial damage looks modest but the regulatory or litigation exposure is severe can still be material. Conversely, a noisy intrusion that triggered no exfiltration and no operational impact may not be — even if it makes for a frightening internal incident report.
The Division of Corporation Finance has publicly emphasized one point: do not lump together unrelated cybersecurity incidents into a single materiality assessment to game the threshold. But you should aggregate related incidents — for example, repeated intrusions by the same threat actor or a series of related events that together produce a material impact.
What Goes in the 8-K — and What Stays Out
Item 1.05 requires registrants to describe:
- The material aspects of the nature, scope, and timing of the incident
- The material impact or reasonably likely material impact on the registrant, including on financial condition and results of operations
Two further provisions matter. First, registrants are not required to disclose specific or technical information about the company's planned response, cybersecurity systems, related networks and devices, or potential system vulnerabilities — anything that would impede the response or remediation of the incident. Second, registrants must amend the original 8-K (using Item 1.05 again) when material information is unavailable at the time of the initial filing and later becomes available. Roughly a third of companies that have filed Item 1.05 disclosures so far have followed up with at least one amendment.
The art is balancing transparency with operational security and litigation exposure. Best practice in 2026:
- State what is known and what is being investigated. Avoid speculation, but do not undersell the impact to make the disclosure look smaller than it is.
- Describe the operational impact concretely. "Took certain systems offline" is more useful than "responded swiftly." "Disrupted order processing for approximately five business days" is more useful than "had a temporary impact."
- Quantify financial impact when you can. Even ranges and "reasonably likely to be material" estimates are better than silence. The SEC sweep in mid-2024 issued comment letters specifically asking companies to expand disclosure of potential material impact beyond financial condition and results of operations.
- Avoid technical detail that does not bear on materiality. Investors do not need to know the CVE number or the specific endpoint detection product that missed the malware.
- Do not state that no material impact has been identified if you have not actually completed that assessment. That language can become its own securities-fraud claim.
The Item 1.05 vs. Item 8.01 Trap
The most common — and most preventable — mistake in the first eighteen months of the rule was filing under Item 1.05 reflexively for every cybersecurity incident, including those the company had not determined to be material or had affirmatively determined were not material.
In May 2024, the Director of the Division of Corporation Finance issued a public statement clarifying that Item 1.05 is for material incidents. If a company chooses to disclose voluntarily — for example, because the incident is in the press, customers are asking, or the company wants to control the narrative — and the materiality determination has not yet been made or has come back negative, the disclosure should go under a different item of Form 8-K, typically Item 8.01 (Other Events).
The reasoning is plain: if every incident lands under Item 1.05, investors lose the ability to distinguish material breaches from routine ones. The label gets diluted, and material disclosures lose their signal.
Three practical rules follow:
- Use Item 8.01 for voluntary disclosure of incidents not yet determined to be material.
- Migrate to Item 1.05 within four business days of any subsequent materiality determination. The new Item 1.05 8-K can cross-reference the earlier Item 8.01 filing.
- Document the materiality determination contemporaneously. Internal memos, committee minutes, and timestamps establish that you made the call deliberately, not by default.
A statistic that captures the shift: in the year following the May 2024 statement, the share of cybersecurity-related 8-Ks filed under Item 8.01 rather than Item 1.05 grew sharply. Companies that previously used Item 1.05 for everything learned that the SEC was paying attention to the choice of item, not just the content of the disclosure.
When the Attorney General Can Stop the Clock
The rule contains a narrow national security and public safety delay exception. If the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing, the registrant may delay filing the Item 1.05 8-K:
- For an initial period of up to 30 days, plus
- An extended period of up to 30 additional days if the Attorney General reaffirms the determination, plus
- In extraordinary circumstances tied solely to national security, a final period of up to 60 additional days
The Department of Justice and FBI have published procedures for requesting these delays. A few realities to internalize before relying on this exception:
- The DOJ has signaled that delays will be granted rarely. The default expectation is that you file within four business days of materiality.
- The relevant test is whether public disclosure of the incident would threaten public safety or national security — not whether the incident itself is dangerous.
- Requests should go through the FBI as quickly as possible after a materiality determination, not at the end of the four-business-day window. There is real lead time required for DOJ to evaluate a request.
- Coordination with the FBI during incident response is encouraged regardless of whether you ever request a delay — but it does not, by itself, justify pausing the materiality determination.
For most companies, the right operating assumption is that no delay will be granted. The exception exists for genuine national security cases, not as a litigation-management tool.
Regulation FD Lives Alongside Item 1.05
A subtle but consequential point: an 8-K filing is a public, simultaneous disclosure that satisfies Regulation FD. But many of the conversations that happen during incident response — with customers, vendors, regulators, law enforcement, insurers, large enterprise account teams, and even employees — do not.
If a company tells a major customer that the breach affected their data, and that information is material and not yet public, that disclosure can violate Reg FD even though the breach itself has not yet been publicly announced. Once you make the materiality determination, the safe operating assumption is that you have hours to align internal communications with the planned 8-K, not days.
Counsel and IR should script:
- Holding statements for the inbound press calls that will start as soon as the breach becomes visible
- Customer communications that align with the language of the planned 8-K
- Employee communications that do not leak material information ahead of the public filing
- Coordination with insurers and reinsurers, who frequently learn early but should not be tipped to material non-public information
Item 106: The Annual Disclosure That Sets the Stage
A clean Item 1.05 disclosure begins with a credible Item 106 program. The annual disclosure gives investors — and plaintiffs' counsel — a baseline against which to measure your incident response.
A defensible Item 106 disclosure typically describes:
- A formal cybersecurity risk management framework (often anchored in NIST CSF 2.0, ISO 27001, or a similar standard)
- A defined process for identifying threats, including third-party and supply chain risk
- Integration with the broader enterprise risk management program — not a siloed IT function
- Engagement of qualified third parties (assessors, penetration testers, managed detection and response providers, internal audit)
- Board-level oversight by a named committee (typically the audit committee, the risk committee, or in some cases the full board), with documented cadence
- Management responsibility tied to a named role (often CISO), with disclosed relevant expertise (years of experience, certifications, prior roles)
- An honest description of any past incidents that have materially affected or are reasonably likely to materially affect the company
A few subtleties:
- The disclosure must be honest. Aspirational language about a "world-class cybersecurity program" that does not match the company's actual practices is exactly the kind of statement plaintiffs' counsel will scrutinize after a breach.
- The CISO bio matters. Vague phrasing about "extensive experience" is weaker than concrete credentials, prior CISO roles, and security certifications.
- Board oversight should be specific. "The board oversees cybersecurity" is too vague. Identify the committee, describe its meeting cadence, and indicate the kind of materials it reviews.
- Past incidents that were not material at the time may have aggregated into something that now is. Do not omit relevant history.
What the First Two Years Have Taught Us
Through the first eighteen months of mandatory reporting, the SEC's Division of Corporation Finance ran what observers called a "sweep" — issuing comment letters that focused on two specific issues:
- The choice to disclose under Item 1.05 when the incident had not been determined to be material or had been determined not to be material
- The need to expand the discussion of potential material impact beyond financial condition and results of operations to include reputational, operational, customer, regulatory, and litigation dimensions
The second piece bears emphasis. Many initial 8-Ks read narrowly: "the incident is not expected to have a material impact on our financial results." That language can be technically true and substantively misleading if the company is staring down regulatory scrutiny, customer attrition, and class actions. Investors care about the broader picture; the SEC's comments make clear that disclosure should too.
A second pattern: amendments. Roughly one in three companies that filed an Item 1.05 8-K filed at least one amendment, and a meaningful share filed two or more. This is normal and expected. The investigation produces new facts; new facts produce updated disclosure. What is not acceptable is a "we will update if material" promise that never gets followed up.
Building the Operational Playbook
If your company is preparing — or refreshing — its Item 1.05 readiness, the playbook should cover:
Detection-to-determination workflow. Define the SOC escalation path, the legal triage step, the materiality committee composition, and the cadence at which the committee meets during an active incident. Most companies stand up a daily or twice-daily standing meeting from incident detection through resolution.
Materiality committee charter. A small, named group — typically the CFO, General Counsel, CISO, head of investor relations, and a senior business leader — empowered to make the determination. The charter should specify quorum, decision authority, documentation standards, and escalation to the audit committee.
Disclosure templates. Pre-drafted Item 1.05 and Item 8.01 8-K shells, plus customer notification language, holding statements, and FAQ documents. Drafting from scratch under time pressure produces worse disclosure.
Cross-functional tabletop exercises. Annual or semiannual exercises that walk all stakeholders through a hypothetical breach: legal, security, IR, finance, communications, business unit leadership, and the board committee. The exercises should explicitly cover the four-business-day clock.
Vendor and contract dependencies. Outside counsel, forensics, ransomware negotiation, and IR consulting firms should be on retainer with master service agreements signed in advance. Negotiating these contracts during an active incident burns days you do not have.
Cyber insurance coordination. Many policies require notice within tight timelines. Coordinate notice with the materiality determination workflow so that securities disclosure and insurance notice do not collide.
The Cost of Getting It Right — and Wrong
The accounting and compliance cost of this regime is real. A mid-sized public company in 2026 should expect:
- $50,000 to $200,000 in initial program build-out and outside counsel work
- $50,000 to $150,000 per year in ongoing GRC tooling, third-party assessments, and tabletop exercise facilitation
- $150,000 to $500,000 in incident-specific costs for any reportable event (forensics, counsel, communications)
- Potentially seven figures in regulatory fines and class-action exposure for a botched disclosure
Those costs sit across multiple general ledger accounts — professional services, insurance, software subscriptions, internal salaries — and frequently get coded inconsistently, which makes year-over-year comparison and audit committee reporting harder than it should be. Building a clear chart of accounts that segregates cyber risk management spend from other IT and legal cost gives the audit committee the data it needs to oversee the program. It also produces cleaner numbers for the next round of investor due diligence and the next renewal cycle on your cyber insurance policy.
Keep Your Disclosure Records as Auditable as Your Security Controls
A cybersecurity incident response stretches across your security, legal, communications, finance, and accounting functions — and the disclosure record you build during those four business days will be examined by the SEC, your audit committee, your insurers, and quite possibly opposing counsel. The same standard that applies to your security controls applies to your financial records: they should be transparent, timestamped, version-controlled, and reproducible. Beancount.io gives finance teams a plain-text accounting platform that is fully auditable, version-controlled in Git, and ready for the AI-assisted review your future audit committees will expect. Get started for free and see why finance professionals are switching to plain-text accounting for the kind of audit trail modern compliance demands.