The Securities and Exchange Commission's rule on cybersecurity incident disclosure, adopted in July 2023 and effective for Item 1.05 8-K filings starting December 18, 2023, has now been in force long enough that we have actual filings to read, actual enforcement positions to argue with, and actual case law starting to form around what "material" means in the cybersecurity context. The rule applies to all registrants filing under the Securities Exchange Act of 1934, which sweeps in most public companies operating in the United States and a large set of foreign private issuers filing on Form 6-K. The companion Regulation S-K Item 106 requires annual disclosure of cybersecurity risk management, strategy, and governance in the 10-K, but the part that gets boardrooms nervous is the four-business-day clock that starts when a registrant determines that a cybersecurity incident is material.
Two and a half years in, the pattern is clear: most of the Item 1.05 filings the SEC has received are supply-chain-adjacent. A vendor gets compromised, the registrant's data is exposed through that vendor, and counsel has to decide whether the incident is material to the registrant even though the registrant's own systems were never breached. The rule does not distinguish between direct compromise and supply-chain compromise — if the registrant determines materiality, the clock starts. That is the central tension this post explores: how supply chain incidents trigger Item 1.05, what we have learned from the early filings, and what security programs should actually be doing differently in 2026.
What does Item 1.05 actually require?
The text of Item 1.05 requires a registrant to disclose, within four business days of determining that a cybersecurity incident is material, the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact on the registrant. The clock does not start at discovery; it starts at the materiality determination, and the rule explicitly says that determination must be made "without unreasonable delay." That phrase is doing enormous work, because it means an issuer cannot simply defer the materiality call indefinitely to avoid the disclosure window, but it also means a thoughtful, documented evaluation of impact over some number of days is acceptable.
The rule allows for a delay of up to thirty days (extendable in narrow circumstances) where the United States Attorney General determines that immediate disclosure poses a substantial risk to national security or public safety. In practice this carve-out has been used sparingly — the DOJ has approved only a handful of delay requests since the rule took effect, and the bar is meaningfully high. For supply-chain incidents the carve-out is rarely available, because the incident is usually already public by the time the registrant has to assess materiality (the vendor itself or a third party has typically already disclosed).
Item 106 of Regulation S-K, the companion annual disclosure rule, requires a description of the processes the registrant uses to assess, identify, and manage material risks from cybersecurity threats, including specifically risks associated with the use of third-party service providers. That third-party prong is what makes the rule a supply-chain rule even when no incident has occurred. Issuers have to describe how they oversee vendor cyber risk, and any gap between what the 10-K says and what the issuer actually does becomes a securities-fraud exposure if a vendor incident later materializes.
How are supply-chain incidents triggering the rule?
The clearest pattern from 2024 and 2025 is that registrants are filing Item 1.05 8-Ks for incidents at vendors when the registrant's customer data, employee data, or operational continuity is exposed through that vendor. The Clorox 8-K filing in August 2023 (filed under voluntary 8.01 disclosure ahead of the rule's effective date, but treated by the bar as a template for what the rule would soon require) disclosed a cyberattack on Clorox's own systems but described material impact running through ERP and order-management dependencies. The MGM Resorts incident in September 2023, attributed publicly to a social-engineering attack against an IT help-desk vendor, produced an 8-K that disclosed operational disruption and roughly $100 million of estimated impact, and the chain of causation through a vendor was central to the filing.
The SolarWinds civil action filed by the SEC in October 2023 is technically a pre-rule enforcement matter (the conduct alleged predates the new Item 1.05), but the theory of liability is informative for supply-chain materiality. The SEC alleged that SolarWinds and its CISO made materially misleading statements about the company's cybersecurity practices in public filings, and that those statements were false in light of internal knowledge of weak controls. A federal court dismissed most of the claims in July 2024 but allowed the misrepresentation claim related to a specific public security statement to proceed. The case is still moving, and the precise contours of what an issuer can say in its 10-K about its own (or its suppliers') cybersecurity posture without creating fraud risk are still being litigated. Programs should treat 10-K language about third-party risk management as something a plaintiff's lawyer will read carefully two years later.
Throughout 2025 we saw Item 1.05 filings tied to MOVEit-style file-transfer vulnerabilities, to identity-provider compromises, and to managed-service-provider breaches. The common thread is that the registrant did not own the compromised system, but the impact ran through it. That makes the supplier inventory and the data-flow map into compliance artifacts, not just engineering artifacts.
What counts as material in a supply-chain context?
Materiality under TSC Industries v. Northway (1976) and Basic v. Levinson (1988) turns on whether a reasonable investor would consider the information important in making an investment decision, weighing both probability and magnitude. The SEC explicitly imported this standard into Item 1.05 — the agency did not adopt a numeric threshold and rejected commenters' requests for a bright-line dollar test. In the supply-chain context, this means a small vendor incident can be material if it affects a critical operational dependency, and a large vendor incident can be immaterial if the registrant's exposure was effectively walled off.
The factors registrants have actually weighed in the early filings include the volume and sensitivity of data exposed, the operational disruption (downtime of revenue-generating systems, inability to ship, inability to invoice), the regulatory and legal exposure created by the incident, the reputational impact (which courts have historically been skeptical of in isolation but which the SEC has acknowledged in guidance), and the cost of remediation. A registrant whose payroll provider is compromised, where no business operations are disrupted but where Social Security numbers for tens of thousands of employees are exposed, has likely crossed the materiality line on data-sensitivity grounds alone.
The hardest cases are the slow-burn ones, where the registrant learns about a vendor incident piecemeal over weeks. Materiality has to be reassessed as facts develop, and amended 8-K filings have become more common than they were in the pre-rule era. Programs should document the materiality determination at every stage, because the SEC has signaled in speeches and risk alerts that it will look at the contemporaneous record of how the determination was made.
How is enforcement shaping interpretation in 2026?
The SEC's enforcement priorities for fiscal year 2026, communicated through Division of Enforcement speeches and the annual examination priorities document from the Division of Examinations, continue to emphasize cybersecurity disclosure controls. The agency has been more interested in the disclosure process — whether the registrant had reasonable procedures for escalating incident information up to the disclosure committee — than in second-guessing the substantive materiality call. That is a deliberate posture: the SEC has limited expertise in evaluating cyber severity, but it has decades of experience evaluating disclosure controls and procedures under Rule 13a-15.
The practical implication is that programs need a written, tested process for getting incident information from the security team to the disclosure committee on a clock that supports the four-business-day window. The process has to cover vendor incidents, which is not how most disclosure committees were structured pre-rule. Tabletop exercises that walk through a supplier breach scenario from initial vendor notification to 8-K filing have become routine at well-run programs, and the SEC has signaled that the existence and quality of such exercises is itself something it considers in evaluating disclosure-controls compliance.
How Safeguard Helps
Safeguard treats third-party software risk as a first-class data model rather than an afterthought. The platform maintains a continuously updated inventory of every package, container, and supplier dependency feeding your production systems, generates SBOMs that serve as the compliance artifact your disclosure committee needs when a vendor incident lands on the agenda, and runs policy gates that block ingestion of suppliers who fail your stated risk posture (the kind of stated posture that ends up quoted back at you in 10-K language). Griffin AI surfaces the specific exposure paths from a public CVE or vendor disclosure to your shipping products, so the materiality conversation can be grounded in evidence rather than guesswork. TPRM workflows in Safeguard track attestation collection from your suppliers, generate audit-ready evidence packages, and produce timelines that show exactly when your team learned what, supporting the contemporaneous record the SEC expects to see. The result is a compliance posture that maps directly onto Item 1.05 and Item 106 requirements without forcing your security team to maintain a parallel disclosure dataset.