The most expensive misreading of the SEC cybersecurity disclosure rules is also the most common one: that you have four business days from discovering an incident to file. You do not. The four-business-day clock for an Item 1.05 Form 8-K starts when you determine the incident is material, and you are separately required to make that determination "without unreasonable delay after discovery." Two clocks, two triggers, and the gap between them is exactly where general counsel and the security team end up disagreeing at 2 a.m.

If you run security operations at a registrant, these rules turned an internal severity call into a securities-disclosure decision with a regulator-facing timeline. The work is no longer just containing the incident. It is producing a defensible record of when you knew, when you decided, and why. This piece walks through what the rules actually say, where the traps are, and the process you need standing up before the clock ever starts.

What did the SEC's 2023 cybersecurity disclosure rules actually change?

The SEC adopted two distinct disclosure obligations, and conflating them is the first mistake teams make.

The first is incident disclosure: a new Item 1.05 on Form 8-K requiring a registrant to disclose a material cybersecurity incident. This is the current-report, fast-clock obligation.

The second is periodic disclosure: new Regulation S-K Item 106, furnished annually in the Form 10-K under a new Item 1C heading, requiring disclosure about how you manage cybersecurity risk and how your board oversees it. This is the slow-clock, once-a-year obligation about your program, not about any single event.

The final rules became effective September 5, 2023. That effective date is not the date you had to start complying — the compliance dates are later and differ by obligation, which I cover below. Treat "effective" and "compliance date" as two different things, because mixing them up is how a team convinces itself it has more runway than it does.

A useful framing for the secops reader: Item 1.05 tests your incident-response and decision-making process under time pressure. Item 106 tests whether your risk-management program is real and whether your board actually oversees it. The first is reactive. The second is evidence you should already have on hand.

When does the Item 1.05 Form 8-K clock start — and is it really 4 business days?

Yes, it is four business days, and no, it does not run from discovery.

Item 1.05 hangs off the standard Form 8-K cadence. General Instruction B.1 to Form 8-K sets the deadline at four business days after the triggering event. For Item 1.05, the triggering event is the registrant's determination that the incident is material. So the filing is due within four business days of determining the incident was material, not within four business days of discovering it.

The SEC was explicit about why it built it this way. Pinning the deadline to the materiality determination, rather than to discovery, recognizes that you often cannot assess materiality the moment an alert fires. But the SEC also anticipated the obvious abuse — a registrant simply never getting around to deciding — and closed it with the "without unreasonable delay" instruction on the determination itself.

Here is the practical sequence your runbook needs to encode:

  1. Discovery. You become aware of an incident. The discovery clock for the materiality assessment starts now.
  2. Assessment without unreasonable delay. You investigate scope and impact and run the materiality analysis. There is no fixed number of days here, which is precisely the trap — "without unreasonable delay" is a judgment standard you will have to defend later.
  3. Materiality determination. You conclude the incident is material. This is the event that starts the four-business-day filing clock.
  4. File the Item 1.05 8-K within four business days of that determination.
  5. Amend if required information was not determined or available at the time of the initial filing.

The dangerous middle is step 2. There is no day-count safe harbor. If you slow-walk the determination to buy time, you have not bought time — you have created a "without unreasonable delay" problem on top of the underlying incident.

What does "without unreasonable delay" mean for the materiality determination?

The rule text is short: a registrant's materiality determination must be made without unreasonable delay after discovery of the incident. There is no defined deadline, no fixed business-day count, no dollar trigger. It is a reasonableness standard, and reasonableness is judged after the fact, often by someone who already knows how the incident turned out.

That is why this is the single most important thing to operationalize. The standard is not "decide fast." It is "do not let the decision drag without a defensible reason." A delay to genuinely assess scope, pull in forensics, and understand impact is defensible. A delay because the decision sat in someone's inbox, or because nobody owned it, or because the team avoided making the call to dodge the filing, is not.

What breaks here, repeatedly:

  • No named owner. If "the company" makes the materiality determination, nobody does. Name a person or a standing committee, and put it in writing.
  • No timestamped trail. If you cannot show when you discovered the incident, when you started assessing materiality, and when you decided, you cannot defend the gap. Reconstructing this from Slack threads weeks later is not a record.
  • Materiality treated as a security call. Materiality under the federal securities laws is a legal and financial judgment, not a CVSS score. Security provides the facts; the determination is made with legal and finance at the table.
  • Waiting for full remediation. Materiality does not require the incident to be resolved. You can be obligated to file while the incident is still ongoing.

Note what the SEC did not do: it did not set a numeric or dollar materiality threshold. The long-standing federal-securities-law materiality standard applies. So you cannot defend a slow determination by pointing at some bright-line number, because there isn't one. Your defense is the quality and timeliness of your process.

What must an Item 1.05 8-K disclose about the incident?

The disclosure content is narrower than most teams fear, and the rule is deliberately about impact, not about your defenses.

Item 1.05(a) requires you to describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations. That "reasonably likely" language matters: you disclose anticipated material impact, not only impact already realized.

Equally important is what you are not required to expose. The instructions to Item 1.05 state you need not disclose specific or technical information about your planned incident response, your cybersecurity systems, related networks and devices, or potential vulnerabilities in detail that would impede your response or remediation. The disclosure is about what happened to the business, not a blueprint for the next attacker.

Two more mechanics to build into the runbook:

  • The amendment obligation. If information required by Item 1.05(a) is not determined or is unavailable at the initial filing, you say so in the filing, then file an amendment within four business days after you determine that information, again without unreasonable delay, or after it becomes available. The initial 8-K is not a one-shot; it is the start of a thread.
  • The definition is shared. "Cybersecurity incident" for Item 1.05 uses the same definition as Item 106 of Regulation S-K — an unauthorized occurrence, or a series of related unauthorized occurrences, jeopardizing the confidentiality, integrity, or availability of your information systems or the information in them. The "series of related occurrences" wording is doing real work: related smaller events can aggregate into one material incident.

When can you delay disclosure for national security or public safety?

There is a delay mechanism, and it is narrow, specific, and not yours to invoke.

Under Item 1.05(c), disclosure can be delayed only if the United States Attorney General determines that the required disclosure poses a substantial risk to national security or public safety and notifies the Commission of that determination in writing. The delay is not something you request from the FBI, your sector ISAC, or DOJ generally. It runs through the U.S. Attorney General, in writing, to the SEC.

The timeframes, straight from the rule:

  • Up to 30 days, for a period specified by the Attorney General, from the date the disclosure was otherwise required.
  • An additional up to 30 days if the Attorney General determines the substantial risk continues and again notifies the Commission in writing.
  • In extraordinary circumstances, a final additional up to 60 days on the same written-determination basis.
  • Beyond the final 60-day delay, any further delay is handled through a Commission exemptive order, not an automatic extension.

For planning purposes, treat this as effectively unavailable for the routine incident. It exists for genuine national-security and public-safety situations and it depends entirely on an action by the Attorney General. Do not build a runbook whose disclosure strategy assumes you can lean on this provision. Build for filing on time.

What does Regulation S-K Item 106 require in the annual Form 10-K?

Item 106 is the part you can prepare for calmly, because it is annual and it is about your program. It is furnished in the Form 10-K under Item 1C, Cybersecurity, which simply directs you to furnish the information required by Item 106 of Regulation S-K.

Item 106(b) — risk management and strategy — requires you to describe your processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, in enough detail for a reasonable investor to understand them. The rule then points to a non-exclusive list of items to address as applicable:

  • Whether and how these processes are integrated into your overall risk management system.
  • Whether you engage assessors, consultants, auditors, or other third parties in connection with those processes.
  • Whether you have processes to oversee and identify risks from threats associated with your use of any third-party service provider.

Item 106(b) also requires you to describe whether risks from cybersecurity threats, including from prior incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition, and if so, how.

Item 106(c) — governance — requires you to describe the board of directors' oversight of cybersecurity risk, identifying any responsible committee and the processes by which the board or committee is informed. It also requires you to describe management's role in assessing and managing those risks, including which management positions or committees are responsible, their relevant expertise, how they are informed about and monitor prevention, detection, mitigation, and remediation of incidents, and whether they report up to the board.

The operator's read: Item 106 is asking you to put your program on the record. If the board oversight described in your 10-K does not match what actually happens, you have a disclosure-controls problem layered on a governance problem. The fix is not better drafting. It is making the board reporting real, dated, and evidenced — minutes, briefing decks, a documented cadence — so the 10-K language describes something you can prove.

How do the timelines differ for smaller reporting companies and foreign private issuers?

The compliance dates are staggered, and they are easy to get wrong. Ground them in the rule text and put them on a calendar:

  • Item 106 / Item 1C (annual disclosure): all registrants began complying with annual reports for fiscal years ending on or after December 15, 2023. There is no separate smaller-reporting-company phase-in for the annual disclosure.
  • Item 1.05 (incident 8-K), non-smaller-reporting companies: compliance began December 18, 2023.
  • Item 1.05 (incident 8-K), smaller reporting companies: an additional 180 days, so compliance began June 15, 2024.

The SEC declined to exempt smaller reporting companies; it only gave them extra runway on the incident-reporting clock. If you are an SRC, the annual Item 106 obligation hit you on the same fiscal-year basis as everyone else.

Foreign private issuers are on a parallel structure, not an exemption. FPIs furnish material cybersecurity incident information on Form 6-K, and the annual program-and-governance disclosure that mirrors Item 106 lives in Item 16K of Form 20-F. If you operate as or report through an FPI, map your obligations to Form 6-K and Form 20-F Item 16K rather than to Form 8-K and Form 10-K, but expect substantively the same questions about incidents, risk management, and governance.

How do you build a defensible materiality and disclosure process before the clock starts?

The rules reward preparation and punish improvisation. Here is the build, in order, before you ever have an incident to file on.

  1. Name the decision-maker. Designate, in writing, who makes the materiality determination — typically a disclosure committee with security, legal, and finance represented, not the CISO alone and not "the company." A single named owner with a defined escalation path is the foundation everything else sits on.
  2. Define your discovery trigger. Write down what "discovery" means for you so the "without unreasonable delay" clock has a defined start. Tie it to a severity tier in your incident-response process so security knows exactly when to invoke the disclosure track.
  3. Build the materiality assessment as a checklist, not a vibe. Capture the facts the determination needs — scope, data affected, operational impact, reasonably likely financial impact — and route them to legal and finance. The output is a documented determination with a date.
  4. Timestamp everything. Discovery time, assessment-start time, determination time, filing time. This timeline is your defense for both clocks. If it is not recorded contemporaneously, it does not exist.
  5. Pre-draft the 8-K shell. Have an Item 1.05(a) template that captures nature, scope, timing, and material or reasonably likely material impact, plus the standard "information not yet determined" language and the amendment workflow. You do not want to be drafting structure during the four-business-day window.
  6. Make the board reporting real and dated. For Item 106(c), establish a documented cadence of board or committee cybersecurity reporting, with minutes and materials retained. Your 10-K language should describe a process you can produce evidence for.
  7. Map the third-party processes. Item 106(b) asks specifically about third-party service provider risk. Make sure your vendor-risk process is documented well enough to describe and evidence.
  8. Run a tabletop on the clock, not just the breach. Most incident tabletops test containment. Add a disclosure-decision tabletop that forces a materiality call against a stopwatch, with legal and finance in the room, so the first time you run the process is not during a real incident.

What breaks if you skip this: you discover an incident, the security team and legal disagree on whether it is material, the determination drifts for two weeks with no record of why, and when you finally file you cannot show that the delay was reasonable. The incident was survivable. The undocumented decision process is what turns it into a disclosure-controls finding.

This is also where a structured GRC posture pays for itself. If your risk register, your control evidence, and your board-reporting trail are already maintained as queryable, timestamped records, then producing the Item 106 narrative and reconstructing an Item 1.05 timeline becomes a lookup rather than a fire drill. The audit pack is a query, not a project. See how Aegis GRC ties incident response, board reporting, and evidence management into one source-grounded posture at aegis-grc.com.

FAQ: SEC cybersecurity disclosure rules

Does the SEC give you four business days from discovering a cybersecurity incident? No. The four-business-day Item 1.05 Form 8-K deadline runs from the date you determine the incident is material, under General Instruction B.1 to Form 8-K. Separately, the materiality determination itself must be made without unreasonable delay after discovery. There is no fixed day-count between discovery and determination.

Is there a dollar threshold for a "material" cybersecurity incident? No. The rules do not set a numeric or dollar materiality threshold. The existing federal-securities-law materiality standard applies, which is why a documented, timely determination process matters more than any single number.

Who can authorize a delay in disclosure for national security reasons? Only the United States Attorney General, by determining that disclosure poses a substantial risk to national security or public safety and notifying the SEC in writing. The delay runs up to 30 days, with a possible additional 30 days, then up to 60 more in extraordinary circumstances, and any further delay requires a Commission exemptive order. It is not requested through the FBI or DOJ generally.

Where does the annual cybersecurity disclosure go, and what are the deadlines? Regulation S-K Item 106 disclosure is furnished in the Form 10-K under Item 1C, Cybersecurity, covering risk management and strategy (106(b)) and governance (106(c)). All registrants began complying for fiscal years ending on or after December 15, 2023. The Item 1.05 incident 8-K began December 18, 2023 for non-smaller-reporting companies and June 15, 2024 for smaller reporting companies. Foreign private issuers use Form 6-K for incidents and Form 20-F Item 16K for the annual disclosure.