SEC Cybersecurity Disclosure Rules: Material Incident Reporting and Annual Disclosures

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
The SEC's December 2023 cybersecurity disclosure rules introduced a compliance obligation that most CISOs were not operationally prepared for: a 4-business-day filing deadline from materiality determination. The rule changed incident response from a purely technical exercise into a legal and investor relations event that must run concurrently with forensic investigation. For public company security teams, the practical changes are significant: every major incident now requires a materiality assessment track involving legal counsel and CFO within the first 48 hours, board escalation paths must be pre-established before an incident occurs, and the 10-K annual disclosure must accurately reflect the actual state of your security program rather than aspirational language. This guide covers the operational adjustments security teams need to make.
Build a Materiality Assessment Workflow into Incident Response
The most important operational change is treating materiality assessment as a concurrent process with technical investigation, not a step that happens after the investigation concludes.
Add a materiality assessment gate at the 24-hour incident mark
Update your incident response playbook to include an explicit materiality assessment step at the 24-hour mark for any P1 or P2 incident. The assessment should involve: the CISO presenting known scope and impact to legal counsel and the CFO, a structured evaluation against the four materiality factors (financial impact, operational disruption, data scope, reputational risk), and a documented conclusion (material, not material, or assessment ongoing pending additional investigation). This documentation is the evidence that the company made a good-faith determination without unreasonable delay.
Create a materiality determination template
Work with legal counsel to create a materiality determination template that security teams complete at the 24-48 hour assessment gate. The template should capture: known facts about scope and impact, quantitative impact estimates (even ranges), qualitative impact assessment, factors that would change the determination if discovered, and the legal conclusion. Having a template ensures consistent documentation across incidents and demonstrates a repeatable process to the SEC if a disclosure decision is ever questioned.
Establish the escalation chain before an incident
Document and test the escalation path for SEC disclosure decisions: CISO escalates to General Counsel and CFO, who jointly recommend a disclosure decision to the CEO and Audit Committee Chair. This chain should be exercisable within 4 hours on evenings and weekends -- get personal cell phone numbers, not just work email. Run a tabletop exercise simulating a Friday evening ransomware event to test whether the chain works before an actual incident requires it.
Coordinate with investor relations and communications
8-K filings are public documents visible to all investors, competitors, and threat actors simultaneously. Before filing, brief the investor relations team on the disclosure content so they can prepare for analyst and investor inquiries. Coordinate with communications on any public-facing statement that accompanies or follows the 8-K. Establish in advance who approves the final 8-K language -- typically General Counsel with input from CISO -- and ensure that person is available within the 4-day window.
Structure the Annual 10-K Item 1C Disclosure
Item 1C is an annual opportunity to accurately describe the company's security posture to investors. It should reflect the actual program, not aspirational language -- SEC enforcement has focused on disclosures that described controls the company did not actually have.
Describe your risk assessment process honestly
Item 1C requires describing how you assess, identify, and manage material cybersecurity risks. Write this to reflect what actually happens: if you do annual penetration testing, say that. If you use a third-party MSSP for monitoring, describe their role. If your vulnerability management program has a 30-day SLA for critical patches, state it. Aspirational language describing controls you are working toward implementing is a disclosure risk -- the SEC has cited companies for disclosing security programs that did not match their actual practices.
Describe third-party risk management accurately
The rules specifically require disclosure of how third-party risks are assessed. If you have a vendor security questionnaire program covering your top 50 vendors, say that. If you require SOC 2 Type II reports from SaaS vendors processing sensitive data, include that. If your third-party risk program is nascent, describe it accurately rather than overstating it -- the SEC is looking for honest disclosure, not a perfect program.
Document board oversight structure clearly
Disclose which board committee (Audit Committee is most common) has oversight of cybersecurity risk and how frequently the board is briefed (quarterly is typical). If the full board receives cybersecurity briefings in addition to the audit committee, state that. Describe how management escalates material cybersecurity risks to the board -- through the CISO reporting to the audit committee, through the CEO, or both. The SEC wants evidence that the board has meaningful oversight, not just that cybersecurity is mentioned in board meetings.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Align the CISO Role with SEC Governance Requirements
The SEC rules implicitly require that the CISO have appropriate seniority and access to fulfill the governance obligations the rules contemplate.
Establish a direct CISO-to-board reporting path
The CISO should have a standing slot on the audit committee agenda, typically quarterly, to report on material cybersecurity risks and program status. This does not require the CISO to report administratively to the board -- it means the CISO has direct communication access for risk escalation. Document this relationship in the corporate governance charter and reference it in the 10-K Item 1C disclosure as evidence of board-level cybersecurity oversight.
Create a CISO expertise disclosure paragraph
Item 1C allows (but does not require) disclosure of management's relevant cybersecurity experience. If the CISO has certifications (CISSP, CISM) or prior incident response experience relevant to the company's risk profile, disclose this in the 10-K. This builds investor confidence that the company has qualified management overseeing cybersecurity risk. Work with the CISO and legal counsel to draft this paragraph accurately -- overstating credentials or experience is a disclosure risk.
Run annual tabletop exercises that include the board
Conduct at least one annual tabletop exercise that includes board members (or the audit committee) as participants or observers. This gives board members direct exposure to cybersecurity scenarios, fulfills the governance oversight requirement in a demonstrable way, and generates documentation showing the board's active engagement with cybersecurity risk. The scenario should include a materiality determination decision point to specifically test the 8-K disclosure workflow.
The bottom line
The SEC cybersecurity disclosure rules require two specific operational changes: a materiality assessment process that runs concurrently with incident investigation and concludes within days, not weeks; and an annual 10-K disclosure that honestly describes the actual security program rather than aspirational controls. The 4-business-day filing clock from materiality determination is tight enough that preparing the workflow, escalation chain, and legal coordination before an incident is not optional -- the first time you run the process cannot be during the incident itself.
Frequently asked questions
Does the 4-business-day clock start at incident discovery or at materiality determination?
The clock starts at materiality determination, not discovery. The SEC rules explicitly state the disclosure is required within four business days of determining that a cybersecurity incident is material. This distinction is operationally significant: a company can discover an incident, conduct an initial investigation, involve legal counsel to assess materiality, and then begin the 4-day clock from the materiality determination date. However, the SEC has emphasized that companies cannot delay materiality assessments unreasonably to avoid the 4-day window -- the determination must be made without unreasonable delay after sufficient facts are known.
What makes a cybersecurity incident material under the SEC rules?
Materiality uses the standard securities law test: a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. Factors the SEC considers in cybersecurity incidents: quantitative impact (financial losses, revenue interruption costs, ransom payments, remediation costs), qualitative impact (reputational harm to a key product or brand, loss of competitive advantage from IP theft, regulatory penalties), operational disruption (duration and scope of systems offline), and data scope (number of customers or employees affected, sensitivity of data exposed). There is no bright-line dollar threshold -- companies must make a facts-and-circumstances judgment.
Can you delay the 8-K filing for an ongoing incident investigation?
The rules do not provide for a unilateral delay based on ongoing investigation -- once materiality is determined, the 4-day clock runs. The only extension mechanism is the DOJ notification exception: if disclosing the incident would pose a substantial risk to national security or public safety, the company can request a 30-day delay by notifying the Department of Justice. The DOJ must confirm the request; companies cannot self-invoke the exception. A second 60-day extension may be granted by DOJ for national security reasons. This exception is narrow and intended for incidents involving critical infrastructure or law enforcement investigations, not routine ransomware events.
What must the 8-K Item 1.05 disclosure include?
The 8-K must describe: the material aspects of the incident's nature, scope, and timing; and the material impact or reasonably likely material impact on the company. Notably, the rules do not require disclosure of every technical detail -- companies are not required to disclose information that would impede remediation or provide a roadmap for attackers. The disclosure should be factual and specific enough for investors to assess impact without speculating. Companies can and should update the 8-K filing as additional material information becomes known -- amend the original filing rather than filing a new one.
What should the annual 10-K Item 1C cybersecurity disclosure include?
Item 1C requires disclosure of: (1) the company's processes for assessing, identifying, and managing material cybersecurity risks, including how third-party risks are assessed; (2) whether any risks have materially affected or are reasonably likely to materially affect the business; (3) the board of directors' oversight role for cybersecurity risks (which board committee, how often the board is briefed); (4) management's role in assessing and managing cybersecurity risk, including whether the CISO or equivalent reports to the board, and whether management has relevant cybersecurity expertise. The SEC does not prescribe specific security controls -- it requires transparent description of what the company actually does.
How should the CISO and security team change their incident response process to meet SEC requirements?
Three process changes are required: (1) Materiality assessment must be added to the incident response playbook as an explicit phase, involving legal counsel and the CFO for any significant incident -- not just at the end of investigation, but as a concurrent track beginning within 24-48 hours. (2) The CISO must have a direct escalation path to the board (audit committee or full board), bypassing the CEO when necessary, to ensure the board can make the materiality determination with full information. (3) Incident documentation must be designed for dual use: internal investigation and regulatory disclosure -- every timeline entry, scope assessment, and impact estimate may appear in SEC filings.
Do the SEC rules apply to incidents affecting third-party vendors or service providers?
Yes. The rules require disclosure of material incidents regardless of whether the compromise originated at the company or at a third-party vendor. If a SaaS provider, cloud vendor, or IT outsourcer experiences a breach that materially affects the registrant's business, operations, or customers, the registrant must assess and potentially disclose that incident. Companies should update their vendor contract templates to require timely notification of security incidents, and their third-party risk management program should track which vendors, if compromised, could cause a material impact requiring SEC disclosure.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
