PRACTITIONER GUIDE | GOVERNANCE
Practitioner GuideUpdated 13 min read

SEC Cybersecurity Disclosure Rules: Material Incident Reporting and Annual Disclosures

4
Business days from materiality determination (not incident discovery) to file Form 8-K Item 1.05 disclosing a material cybersecurity incident
30 days
Extension granted by DOJ for national security or public safety investigations -- requires agency notification, not self-declared
December 2023
Effective date for large accelerated filers; smaller reporting companies had until June 2024 for incident disclosure rules
10-K Item 1C
Annual form section requiring disclosure of cybersecurity risk management program, governance, and board oversight processes

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The SEC's December 2023 cybersecurity disclosure rules introduced a compliance obligation that most CISOs were not operationally prepared for: a 4-business-day filing deadline from materiality determination. The rule changed incident response from a purely technical exercise into a legal and investor relations event that must run concurrently with forensic investigation. For public company security teams, the practical changes are significant: every major incident now requires a materiality assessment track involving legal counsel and CFO within the first 48 hours, board escalation paths must be pre-established before an incident occurs, and the 10-K annual disclosure must accurately reflect the actual state of your security program rather than aspirational language. This guide covers the operational adjustments security teams need to make.

Build a Materiality Assessment Workflow into Incident Response

The most important operational change is treating materiality assessment as a concurrent process with technical investigation, not a step that happens after the investigation concludes.

Add a materiality assessment gate at the 24-hour incident mark

Update your incident response playbook to include an explicit materiality assessment step at the 24-hour mark for any P1 or P2 incident. The assessment should involve: the CISO presenting known scope and impact to legal counsel and the CFO, a structured evaluation against the four materiality factors (financial impact, operational disruption, data scope, reputational risk), and a documented conclusion (material, not material, or assessment ongoing pending additional investigation). This documentation is the evidence that the company made a good-faith determination without unreasonable delay.

Create a materiality determination template

Work with legal counsel to create a materiality determination template that security teams complete at the 24-48 hour assessment gate. The template should capture: known facts about scope and impact, quantitative impact estimates (even ranges), qualitative impact assessment, factors that would change the determination if discovered, and the legal conclusion. Having a template ensures consistent documentation across incidents and demonstrates a repeatable process to the SEC if a disclosure decision is ever questioned.

Establish the escalation chain before an incident

Document and test the escalation path for SEC disclosure decisions: CISO escalates to General Counsel and CFO, who jointly recommend a disclosure decision to the CEO and Audit Committee Chair. This chain should be exercisable within 4 hours on evenings and weekends -- get personal cell phone numbers, not just work email. Run a tabletop exercise simulating a Friday evening ransomware event to test whether the chain works before an actual incident requires it.

Coordinate with investor relations and communications

8-K filings are public documents visible to all investors, competitors, and threat actors simultaneously. Before filing, brief the investor relations team on the disclosure content so they can prepare for analyst and investor inquiries. Coordinate with communications on any public-facing statement that accompanies or follows the 8-K. Establish in advance who approves the final 8-K language -- typically General Counsel with input from CISO -- and ensure that person is available within the 4-day window.

Structure the Annual 10-K Item 1C Disclosure

Item 1C is an annual opportunity to accurately describe the company's security posture to investors. It should reflect the actual program, not aspirational language -- SEC enforcement has focused on disclosures that described controls the company did not actually have.

Describe your risk assessment process honestly

Item 1C requires describing how you assess, identify, and manage material cybersecurity risks. Write this to reflect what actually happens: if you do annual penetration testing, say that. If you use a third-party MSSP for monitoring, describe their role. If your vulnerability management program has a 30-day SLA for critical patches, state it. Aspirational language describing controls you are working toward implementing is a disclosure risk -- the SEC has cited companies for disclosing security programs that did not match their actual practices.

Describe third-party risk management accurately

The rules specifically require disclosure of how third-party risks are assessed. If you have a vendor security questionnaire program covering your top 50 vendors, say that. If you require SOC 2 Type II reports from SaaS vendors processing sensitive data, include that. If your third-party risk program is nascent, describe it accurately rather than overstating it -- the SEC is looking for honest disclosure, not a perfect program.

Document board oversight structure clearly

Disclose which board committee (Audit Committee is most common) has oversight of cybersecurity risk and how frequently the board is briefed (quarterly is typical). If the full board receives cybersecurity briefings in addition to the audit committee, state that. Describe how management escalates material cybersecurity risks to the board -- through the CISO reporting to the audit committee, through the CEO, or both. The SEC wants evidence that the board has meaningful oversight, not just that cybersecurity is mentioned in board meetings.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Align the CISO Role with SEC Governance Requirements

The SEC rules implicitly require that the CISO have appropriate seniority and access to fulfill the governance obligations the rules contemplate.

Establish a direct CISO-to-board reporting path

The CISO should have a standing slot on the audit committee agenda, typically quarterly, to report on material cybersecurity risks and program status. This does not require the CISO to report administratively to the board -- it means the CISO has direct communication access for risk escalation. Document this relationship in the corporate governance charter and reference it in the 10-K Item 1C disclosure as evidence of board-level cybersecurity oversight.

Create a CISO expertise disclosure paragraph

Item 1C allows (but does not require) disclosure of management's relevant cybersecurity experience. If the CISO has certifications (CISSP, CISM) or prior incident response experience relevant to the company's risk profile, disclose this in the 10-K. This builds investor confidence that the company has qualified management overseeing cybersecurity risk. Work with the CISO and legal counsel to draft this paragraph accurately -- overstating credentials or experience is a disclosure risk.

Run annual tabletop exercises that include the board

Conduct at least one annual tabletop exercise that includes board members (or the audit committee) as participants or observers. This gives board members direct exposure to cybersecurity scenarios, fulfills the governance oversight requirement in a demonstrable way, and generates documentation showing the board's active engagement with cybersecurity risk. The scenario should include a materiality determination decision point to specifically test the 8-K disclosure workflow.

The bottom line

The SEC cybersecurity disclosure rules require two specific operational changes: a materiality assessment process that runs concurrently with incident investigation and concludes within days, not weeks; and an annual 10-K disclosure that honestly describes the actual security program rather than aspirational controls. The 4-business-day filing clock from materiality determination is tight enough that preparing the workflow, escalation chain, and legal coordination before an incident is not optional -- the first time you run the process cannot be during the incident itself.

Frequently asked questions

Does the 4-business-day clock start at incident discovery or at materiality determination?

The clock starts at materiality determination, not discovery. The SEC rules explicitly state the disclosure is required within four business days of determining that a cybersecurity incident is material. This distinction is operationally significant: a company can discover an incident, conduct an initial investigation, involve legal counsel to assess materiality, and then begin the 4-day clock from the materiality determination date. However, the SEC has emphasized that companies cannot delay materiality assessments unreasonably to avoid the 4-day window -- the determination must be made without unreasonable delay after sufficient facts are known.

What makes a cybersecurity incident material under the SEC rules?

Materiality uses the standard securities law test: a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. Factors the SEC considers in cybersecurity incidents: quantitative impact (financial losses, revenue interruption costs, ransom payments, remediation costs), qualitative impact (reputational harm to a key product or brand, loss of competitive advantage from IP theft, regulatory penalties), operational disruption (duration and scope of systems offline), and data scope (number of customers or employees affected, sensitivity of data exposed). There is no bright-line dollar threshold -- companies must make a facts-and-circumstances judgment.

Can you delay the 8-K filing for an ongoing incident investigation?

The rules do not provide for a unilateral delay based on ongoing investigation -- once materiality is determined, the 4-day clock runs. The only extension mechanism is the DOJ notification exception: if disclosing the incident would pose a substantial risk to national security or public safety, the company can request a 30-day delay by notifying the Department of Justice. The DOJ must confirm the request; companies cannot self-invoke the exception. A second 60-day extension may be granted by DOJ for national security reasons. This exception is narrow and intended for incidents involving critical infrastructure or law enforcement investigations, not routine ransomware events.

What must the 8-K Item 1.05 disclosure include?

The 8-K must describe: the material aspects of the incident's nature, scope, and timing; and the material impact or reasonably likely material impact on the company. Notably, the rules do not require disclosure of every technical detail -- companies are not required to disclose information that would impede remediation or provide a roadmap for attackers. The disclosure should be factual and specific enough for investors to assess impact without speculating. Companies can and should update the 8-K filing as additional material information becomes known -- amend the original filing rather than filing a new one.

What should the annual 10-K Item 1C cybersecurity disclosure include?

Item 1C requires disclosure of: (1) the company's processes for assessing, identifying, and managing material cybersecurity risks, including how third-party risks are assessed; (2) whether any risks have materially affected or are reasonably likely to materially affect the business; (3) the board of directors' oversight role for cybersecurity risks (which board committee, how often the board is briefed); (4) management's role in assessing and managing cybersecurity risk, including whether the CISO or equivalent reports to the board, and whether management has relevant cybersecurity expertise. The SEC does not prescribe specific security controls -- it requires transparent description of what the company actually does.

How should the CISO and security team change their incident response process to meet SEC requirements?

Three process changes are required: (1) Materiality assessment must be added to the incident response playbook as an explicit phase, involving legal counsel and the CFO for any significant incident -- not just at the end of investigation, but as a concurrent track beginning within 24-48 hours. (2) The CISO must have a direct escalation path to the board (audit committee or full board), bypassing the CEO when necessary, to ensure the board can make the materiality determination with full information. (3) Incident documentation must be designed for dual use: internal investigation and regulatory disclosure -- every timeline entry, scope assessment, and impact estimate may appear in SEC filings.

Do the SEC rules apply to incidents affecting third-party vendors or service providers?

Yes. The rules require disclosure of material incidents regardless of whether the compromise originated at the company or at a third-party vendor. If a SaaS provider, cloud vendor, or IT outsourcer experiences a breach that materially affects the registrant's business, operations, or customers, the registrant must assess and potentially disclose that incident. Companies should update their vendor contract templates to require timely notification of security incidents, and their third-party risk management program should track which vendors, if compromised, could cause a material impact requiring SEC disclosure.

Sources & references

  1. SEC Cybersecurity Risk Management Disclosure Final Rule
  2. SEC Guidance on Cybersecurity Disclosures
  3. Form 8-K Item 1.05 Instructions

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.