The Securities and Exchange Commission adopted the final cybersecurity disclosure rules on 26 July 2023 (Release Nos. 33-11216; 34-97989; File No. S7-09-22). Item 1.05 of Form 8-K went live for most registrants on 18 December 2023; the smaller reporting company phase-in landed 15 June 2024. Two years in, enforcement patterns, peer comment letters, and the Division of Corporation Finance's 12 February 2026 sample-letter update have clarified how public companies should think about materiality, timing, and the link between disclosure and supply chain evidence.
This is not a primer on the rule text. It is a 2026 field report for security engineers, GRC leads, and outside counsel coordinating the 8-K machinery.
What does "material" actually mean under Item 1.05 in 2026?
The rule borrows the TSC Industries v. Northway (1976) materiality standard, but the Division of Corporation Finance's 2025 and 2026 comment letters make the practical test clearer. Materiality under Item 1.05 is not pure operational impact; it is whether a reasonable investor would consider the incident important in making an investment decision, factoring qualitative harms — reputation, customer confidence, regulator attention — alongside quantitative losses.
Director Erik Gerding's 21 May 2024 statement clarified that ransomware incidents resolved without material impact do not automatically trigger Item 1.05. The 2025 Clorox and UnitedHealth disclosures, and the SolarWinds enforcement action progress through 2025, drew a harder line on one pattern: a registrant cannot quietly leave a material incident undisclosed while simultaneously describing its cyber program glowingly in Regulation S-K Item 106.
In 2026, Corp Fin comment letters are consistently asking two questions. First, what was the materiality analysis — documented contemporaneously, with named decision-makers — and why did it conclude the way it did. Second, where is the connective tissue between the incident and the registrant's Item 106 disclosures about governance, risk management, and third-party oversight.
How is the four-business-day clock being interpreted after enforcement cases?
Item 1.05(a) requires disclosure within four business days of the registrant's determination that a cybersecurity incident is material. The clock starts at determination, not detection. The Commission has used every public opportunity — including the 14 October 2025 Enforcement Division statement accompanying the CF Disclosure Review — to emphasize that registrants cannot delay determination to delay the clock.
The 22 October 2024 SolarWinds motion-to-dismiss ruling in the Southern District of New York narrowed but did not eliminate the fraud claims against the CISO individually, underscoring that the people performing the determination can themselves be on the hook if the materiality analysis is pretextual. For 2026 disclosures, the pragmatic approach is a written, time-stamped materiality memo prepared by a cross-functional group (security, legal, finance, investor relations), reviewed by the disclosure committee, and retained as part of the registrant's books and records.
The national security delay provision — under which the US Attorney General may authorize a delay — has been used sparingly. DOJ's December 2023 guidelines and the updated FBI Victim Notification SOP of March 2025 describe a narrow path that is not a general-purpose off-switch for the four-day clock.
What does a competent Item 1.05 filing look like in 2026?
A defensible Item 1.05 typically states, in plain English, (1) when the registrant determined the incident was material, (2) the nature and scope of the incident, (3) the material impact or reasonably likely material impact on the registrant, including operations and financial condition, and (4) any amendments expected as facts develop under Item 1.05(c).
What it does not do is overpromise. The 2025 round of comment letters hit registrants for speculative assurances that "no customer data was accessed" without evidentiary basis, and for using boilerplate that did not match the filing's own later amendments. Corp Fin's 12 February 2026 sample letter specifically flags vague references to "industry-standard controls" without tying those claims to the registrant's actual Item 106 framework disclosure.
Where does Regulation S-K Item 106 fit in, and how is it being policed?
Item 106(b) requires annual disclosure of the registrant's processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether and how third parties are engaged in those processes. Item 106(c) requires disclosure of board and management oversight.
Two themes dominate 2025–2026 Corp Fin comments. First, third-party/supply chain oversight descriptions are too generic — "we evaluate key vendors for cybersecurity risk" is not a process. Comment letters ask for the framework used (NIST SP 800-161, ISO/IEC 27036, the registrant's own written program), the scope of covered vendors, the cadence of reassessment, and how findings flow into procurement, contracts, and board reporting. Second, the governance disclosure must match lived reality — if a registrant claims quarterly board-level briefings, comment letters will pull the minutes.
The connection to Item 1.05 is direct. If a material incident originates from a third-party software component, the registrant's Item 106 narrative about supply chain oversight becomes contemporaneous evidence in the materiality and disclosure analysis.
How are software supply chain incidents treated differently?
The 2024–2025 incident environment was dominated by supply chain origin events: the continuing fallout from MOVEit and Accellion, the July 2024 CrowdStrike Falcon content update outage, the ongoing npm and PyPI package compromises, and several downstream exposures from managed file transfer and identity platforms.
The SEC's practical stance: a supply chain incident is not automatically material, but when it is, the registrant's disclosure obligation does not shift to the upstream vendor. Item 1.05(d) addresses the scenario where the registrant cannot yet determine impact because the incident occurred at a third-party service provider — registrants must still assess and disclose once they reasonably can, and Corp Fin has been firm that opacity upstream is not a permanent excuse.
This is where software bill of materials and attestation evidence stops being a nice-to-have. A registrant that already has an inventory of software components, signed provenance, and vendor attestations can determine materiality in hours rather than weeks. A registrant that has to email vendors and wait for answers is the one ending up with an 8-K that reads badly.
What should public company security and legal teams do now?
First, treat the materiality memo as a standing disclosure-control artefact. It should have a template, named reviewers, and retention policy. Second, rehearse. The Division's sample letters are a free tabletop exercise — run them against your last 12 months of incidents, drafts, and Item 106 disclosures and find the gaps. Third, close the supply chain blind spot. If a material event originates from a library, container image, or SaaS vendor, you need to know within hours which of your products are exposed and which customers are affected.
Fourth, align Item 106 disclosures with operating reality. If your Item 106 text claims third-party risk oversight you cannot evidence, fix the operations — not the disclosure. Plaintiffs' securities firms read Item 106 carefully. Fifth, track the ongoing SolarWinds litigation and the Commission's 2026 enforcement calendar; the doctrinal gaps get narrower every quarter.
How Safeguard.sh Helps
Safeguard.sh shortens the path from incident detection to a defensible materiality decision. Lino, our compliance mapping engine, maps your incident response runbook and disclosure controls to SEC Release No. 33-11216, Form 8-K Item 1.05, Regulation S-K Item 106, NIST SP 800-161 Rev. 2, and NIST Cybersecurity Framework 2.0, giving your disclosure committee a ready-made evidence trail. Our SBOM service continuously tracks every component in every release, so when a MOVEit-class supply chain event lands, you can answer "are we exposed" in minutes rather than days. The TPRM module maintains a live inventory of software vendors with their attestations, pledge signatory status, and SEC-cited incident history, feeding directly into your Item 106 third-party narrative. Safeguard.sh's attestation and signing pipeline produces in-toto and SLSA-aligned provenance for every release, which becomes contemporaneous evidence when Corp Fin or plaintiffs' counsel reconstruct the timeline. The result is an 8-K you can file in four days without an apologetic Item 1.05(c) amendment three weeks later.
Two years in, the SEC's rule is not ambiguous. The registrants treating it as a disclosure problem alone are the ones getting comment letters. The ones treating it as an engineering and supply chain problem are not.