On July 26, 2023, the SEC adopted its cybersecurity disclosure rules by a 3-2 commissioner vote, creating a new Item 1.05 on Form 8-K and a new Item 106 in Regulation S-K. The headline requirement — that a public company disclose a material cybersecurity incident within four business days — took effect for most registrants on December 18, 2023, with smaller reporting companies given until June 15, 2024. The clock doesn't start at discovery; it starts the moment the company determines the incident is material, a determination the rule says must itself happen "without unreasonable delay." The rule was tested before it even took effect: in November 2023, the ransomware group ALPHV/BlackCat filed its own SEC complaint against MeridianLink, one of its victims, claiming the company had failed to disclose within four days — even though the 8-K requirement wasn't yet in force. That stunt previewed exactly the pressure CISOs now live under: attackers know the rule exists, and some now weaponize it. This post walks through what the rule actually requires, on what timeline, and from whom.
What exactly triggers the four-business-day clock?
The four-business-day clock starts when a company determines a cybersecurity incident is material — not when the incident is discovered, and not when it's contained. Item 1.05 of Form 8-K requires disclosure of the incident's nature, scope, and timing, plus its material impact or reasonably likely material impact on the registrant, including on its financial condition and results of operations. Materiality follows the existing securities-law standard from cases like TSC Industries v. Northway: whether a reasonable investor would consider the fact important to an investment decision. The SEC deliberately declined to define "material" specifically for cyber incidents, which means the determination has to run through the same disclosure controls a company already uses for other material events — not a bespoke security-team judgment call. A limited delay is available only if the U.S. Attorney General notifies the SEC in writing that disclosure would pose a substantial national-security or public-safety risk; that's a high, narrow bar, not a general extension for "we're still investigating."
What does the SEC actually require every year in the 10-K, separate from an incident?
Separate from any incident, Regulation S-K Item 106 requires every registrant to describe, in its annual Form 10-K, its processes for assessing, identifying, and managing material cybersecurity risks — whether those risks have materially affected or are reasonably likely to affect the company — the board's oversight of cybersecurity risk, including any board committee responsible for it — and management's role and relevant expertise in assessing and managing that risk. This applies for fiscal years ending on or after December 15, 2023, meaning most calendar-year filers first reported it in their 10-K filed in early 2024. It's a standing governance disclosure, not an incident report: a company with a clean year still has to describe its process, in effect turning "how do you manage cyber risk" into a permanent, auditable annual statement rather than something disclosed only after something goes wrong.
How many companies have actually used Item 1.05, and for what?
Between the rule's effective date of December 18, 2023, and January 19, 2025, 54 companies filed 55 cybersecurity incident disclosures on Form 8-K, according to a tracking analysis published by law firm commentary on the rule's first year in force. That's a modest volume relative to the roughly 6,000-plus operating companies that file with the SEC, and it reflects how narrow "material" has turned out to be in practice — many companies that experienced breaches chose to disclose voluntarily under other 8-K items, or determined the incident didn't clear the materiality bar at all. The SEC has publicly pushed back on both directions of that judgment call: in a May 2024 public statement, then-Director of Corporation Finance Erik Gerding warned companies against both under-disclosing material incidents and over-disclosing immaterial ones "out of an abundance of caution," noting the latter can dilute the signal investors rely on.
What does the board specifically have to be able to show?
The board specifically has to be able to show that cybersecurity oversight is a defined, functioning process — not just a slide reviewed once a year. Item 106 requires naming which board committee (often audit, sometimes a dedicated risk or technology committee) is responsible for cyber oversight and describing how that committee is informed, including the frequency and nature of updates from management. In practice this has pushed many boards to formalize incident-briefing cadences, table-top exercises, and named reporting lines from the CISO that didn't previously exist in writing. It also raises personal exposure: SEC Chair Gary Gensler and commission staff have been explicit that the rule is meant to make cybersecurity governance an ordinary-course board responsibility comparable to financial oversight, which means board minutes and committee charters are now discoverable evidence of whether that oversight was real.
Does this rule create personal liability for the CISO?
Yes, and the SEC demonstrated it separately from this rule: in October 2023, the SEC charged SolarWinds and its CISO, Timothy Brown, with fraud and internal-controls failures tied to disclosures made around the 2020 Sunburst supply-chain attack, marking the first time the agency named an individual CISO in an enforcement action of this kind. In July 2024, a federal court dismissed most of the SEC's claims against Brown personally, letting a narrower set of claims proceed — a partial but meaningful pushback on the SEC's theory of individual liability. The SolarWinds case predates Item 1.05 and turned on pre-2023 disclosure and controls failures, not the new four-day rule itself, but it set the tone the new rule now operates under: CISOs are expected to have accurate, documented visibility into their own risk posture, and public statements about security posture are treated as disclosures the SEC will test against the facts.
What should CISOs and boards actually change day to day?
Practically, the rule pushes CISOs to build a materiality-assessment workflow that can move fast and produce a paper trail — because the four-day clock and the "without unreasonable delay" standard for the determination itself mean a company needs a pre-agreed process, not an ad hoc legal huddle, once an incident is confirmed. That means predefined criteria for what counts as material, a named disclosure committee that includes legal, IR, and finance alongside security, and drafted-in-advance 8-K language templates. For the board, it means documented committee charters, minuted incident briefings, and a demonstrable record of the CISO's reporting line and expertise — since Item 106 asks the company to describe management's cybersecurity expertise by name. None of this is a technology control; it's a governance and documentation discipline layered on top of whatever detection and response tooling a company already runs, and it's evaluated after the fact by exactly the kind of paper trail most security teams weren't previously required to keep.