Item 1.05 of Form 8-K, added by the SEC's July 2023 final rule on cybersecurity disclosure, has been in force since December 18, 2023. Two filing cycles in, the staff has shifted from passive observation to active scrutiny: the Division of Corporation Finance conducted a comment-letter sweep on Item 1.05 filings between May and July 2024, the Division of Enforcement settled actions against four issuers in October 2024 for misleading cybersecurity disclosures predating the rule, and Item 1.05 filings have continued to accumulate across 2025. For public-company CISOs, deputy general counsel, and disclosure committees, the lessons are now concrete rather than hypothetical.
How many Item 1.05 8-Ks have actually been filed?
From the rule's effective date on December 18, 2023 through January 2025, the bar associations and law firms tracking the EDGAR feed counted roughly 55 cybersecurity incidents reported on Form 8-K by 54 registrants. Filings accelerated through 2025 as more issuers crossed materiality thresholds and as ransomware actors specifically named public targets to weaponize the disclosure clock. Notable filers in the first year included Microsoft (the Midnight Blizzard intrusion in January 2024), UnitedHealth Group (Change Healthcare, February 2024), Prudential, Loandepot, VF Corporation, and AT&T. A material share of the filings disclosed under Item 1.05 even when the registrant had not yet determined materiality, which prompted the SEC's first major piece of public guidance on the rule.
What did the May 2024 SEC staff guidance change?
On May 21, 2024, Director of the Division of Corporation Finance Erik Gerding issued a public statement clarifying that Item 1.05 should be used only when the registrant has affirmatively determined an incident is material. Companies wishing to disclose an immaterial or undetermined incident should use Item 8.01 (Other Events) instead, to avoid signaling to investors that a non-material event triggers the four-business-day clock. That guidance reshaped subsequent filings: by the second half of 2024, the ratio of Item 8.01 cybersecurity disclosures to Item 1.05 disclosures inverted, with most early-stage incident disclosures moving to 8.01. The guidance also pressed filers to describe the material impact or reasonably likely material impact beyond financial condition and results of operations, including reputational, legal, regulatory, and competitive effects.
What did the comment-letter sweep target?
Between May 24 and July 26, 2024, the staff issued at least fourteen comment letters to issuers who had filed Item 1.05 8-Ks. The letters consistently raised two concerns. First, where the registrant had not yet determined materiality, the letter asked why Item 1.05 was selected over Item 8.01. Second, where the registrant did disclose materiality, the letter asked for expanded description of the nature, scope, and timing of the incident and of the material impact, citing the rule's plain text. AT&T received a notable comment letter in 2024 asking it to amend its Item 1.05 filing to describe the categories of customer data exposed and the legal and reputational implications. The comment-letter sweep is now part of the staff's normal review playbook for any Item 1.05 filing.
What did the October 2024 enforcement actions add?
On October 22, 2024, the Division of Enforcement announced settled actions against Unisys, Avaya, Check Point, and Mimecast for negligently making materially misleading statements about cybersecurity incidents tied to the 2020 SolarWinds Orion compromise. The orders, which carried civil penalties totaling roughly $7 million, found that the companies described the impact of the intrusion in generic terms despite internal evidence that the actor had accessed specific sensitive systems and data. The actions were brought under pre-Item-1.05 disclosure obligations, not under the new rule itself, but they signaled that the Division is willing to second-guess wording choices in incident disclosures and that "we are investigating" boilerplate is not enough when the registrant already has investigative findings in hand.
What does a defensible Item 1.05 filing look like?
Reviewing the filings that survived staff scrutiny without amendment, three patterns recur. First, the filing identifies the nature of the incident in plain language (ransomware, business email compromise, network intrusion) rather than the marketing-friendly "cybersecurity event." Second, it states the scope in terms investors can evaluate: which business segment, which data categories, whether operations were disrupted, and whether systems remain offline at the time of filing. Third, it addresses material impact across all categories the rule requires, not only financial. Filers also use Item 1.05(b) updates aggressively, returning every two to four weeks with new facts (forensic conclusions, customer notification counts, regulatory inquiries) rather than waiting for a single comprehensive amendment.
# Item 1.05 disclosure checklist used by disclosure committees
[ ] Materiality determination documented with date, decision-maker, and basis
[ ] Item selection (1.05 vs 8.01) explained in the disclosure file memo
[ ] Nature: type of incident in plain terms (ransomware/BEC/network intrusion)
[ ] Scope: business unit, data categories, geographies, system status
[ ] Timing: discovery date, determination date, four-business-day clock start
[ ] Material impact addressed across: financial, operational, legal/regulatory,
reputational, competitive
[ ] Forward-looking statements appropriately qualified
[ ] Update cadence agreed (1.05(b) amendments every 2-4 weeks until closed)
How does this intersect with software supply chain risk?
Three of the four October 2024 enforcement targets were affected by a single third-party software compromise. That precedent is now folded into how the staff reviews Item 1.05 filings tied to vendor incidents: filers who treat a supplier breach as someone else's problem are inviting comment letters or worse. Item 1.05 puts a four-business-day clock on the registrant once it determines materiality, regardless of whether the underlying event happened at a vendor. That means contracts with critical SaaS, managed-service, and open-source-supported suppliers need to include rapid notification clauses, evidence-sharing commitments, and a pre-agreed factual baseline so the registrant's disclosure committee is not starting from zero on day one. Filers who can point to an SBOM-based dependency map, a vendor risk register, and a documented investigation playbook are far better positioned to write a defensible 8-K than those who scramble after the call.
How Safeguard Helps
Safeguard maintains a continuously updated SBOM and dependency graph across every product and service in your portfolio, so when a vendor or open source library is implicated in an incident you can identify reachable systems in minutes rather than days. Griffin AI cross-references vendor advisories, CISA KEV entries, and VEX statements to give the disclosure committee a defensible materiality narrative — what was reachable, what was exploited, and what was contained. TPRM workflows score upstream suppliers against contractual notification SLAs and the CISA Secure by Design pledge, flagging vendors who would leave you blind during a four-business-day Item 1.05 window. Policy gates can also be tuned to block deployment of components carrying unresolved findings tied to public incidents, giving counsel a clean audit trail of what the company knew, when it knew it, and how it responded.