Material Cybersecurity Incident Disclosure (Form 8-K)

Material Cybersecurity Incident Disclosure (Form 8-K) requires a public company registrant to file an Item 1.05 Form 8-K within four business days after it determines a cybersecurity incident is material, describing the incident’s material nature, scope, timing, and material (or reasonably likely material) impact. Build a repeatable materiality determination and disclosure workflow that can run under incident pressure. (SEC Release No. 33-11216)

Key takeaways:

• The clock starts at materiality determination, not first detection, and the filing is due within four business days. (SEC Release No. 33-11216)
• Your process must produce an evidence-backed judgment on materiality and a disclosure-ready fact set (nature/scope/timing/impact). (SEC Release No. 33-11216)
• Pre-approve roles, escalation, outside counsel coordination, and drafting mechanics so the team can execute during a live incident. (SEC Release No. 33-11216)

If you are a Compliance Officer, CCO, or GRC lead at an SEC registrant, this requirement is a disclosure operations problem disguised as a cybersecurity problem. Your success depends on whether the organization can (1) recognize which cybersecurity events qualify as “incidents” worth elevating, (2) reach a defensible materiality determination quickly, and (3) translate incomplete technical facts into an accurate, non-misleading Item 1.05 narrative on a tight filing timeline. The filing obligation is triggered when the registrant determines an incident is material, and the rule sets a four-business-day deadline from that point. (SEC Release No. 33-11216)

In practice, the hard part is not writing the form. It is running a decision process that is fast, documented, cross-functional, and consistent with how your company makes other materiality judgments. You also need controls that prevent two failure modes: (a) analysis paralysis that delays the determination and (b) premature, overly specific statements that later turn out wrong. This page gives you requirement-level implementation guidance you can put into a runbook: who decides, what inputs they need, what gets documented, how drafting works, and what evidence to retain for auditors, regulators, and litigation. (SEC Release No. 33-11216)

Regulatory text

Requirement (excerpt): “A registrant must disclose any cybersecurity incident it determines to be material on Form 8-K within four business days of such determination.” The disclosure must describe the material aspects of the incident’s nature, scope, and timing, and the material impact or reasonably likely material impact on the registrant. (SEC Release No. 33-11216)

Operator interpretation:
You must have an internal mechanism that:

1. reliably elevates cyber events to an “incident under evaluation” state,
2. produces a documented materiality determination, and
3. triggers an Item 1.05 Form 8-K drafting and filing workflow that completes within four business days of that determination. (SEC Release No. 33-11216)

Plain-English interpretation (what the SEC expects you to be able to do)

• Decide materiality with discipline. Materiality is not “major breach” in technical terms; it is whether a reasonable investor would view the information as important, reflected through expected impact on financial condition and results of operations (using the rule’s disclosure focus). Your decision should be grounded in business impact, not just severity scores. (SEC Release No. 33-11216)
• Disclose what is material, not everything you know. Item 1.05 is a “material aspects” disclosure: nature, scope, timing, and material impact or reasonably likely material impact. Over-disclosing uncertain forensics can create retraction risk later. (SEC Release No. 33-11216)
• Run the play under pressure. You will be working with partial facts. The control objective is a defensible process and accurate statements based on what is known at filing time. (SEC Release No. 33-11216)

Who it applies to (entity and operational context)

Applies to: SEC registrants required to file Form 8-K (public companies and other registrants subject to Exchange Act reporting). The provided applicability data highlights financial institutions and broker-dealers, but operationally this is a registrant reporting obligation, not an industry-only rule. (SEC Release No. 33-11216)

Operational context where this breaks down most often:

• Decentralized incident response across business units or subsidiaries.
• Heavy reliance on third parties (cloud/SaaS, MSP/MSSP, payment processors) where you lack immediate forensic access.
• Concurrent legal holds, extortion demands, or law enforcement engagement, which can slow internal decision-making.
• Unclear ownership between Security (facts), Legal (disclosure risk), Finance (materiality lens), and IR/Comms (message control).

What you actually need to do (step-by-step)

Step 1: Define “incident intake” and escalation triggers

Create a single escalation path from Security/IT to Legal/Disclosure Committee for any event that could plausibly create material impact. Don’t depend on a single threshold like “PII confirmed”; build multi-factor triggers, for example:

• operational outage affecting revenue-generating systems,
• confirmed unauthorized access to core systems,
• credible exfiltration indicators,
• incident affecting financial reporting systems or data integrity,
• third-party incident where your data or operations are implicated.

Deliverable: Cyber Incident Escalation Standard mapping event types to escalation timelines and decision owners. (SEC Release No. 33-11216)

Step 2: Stand up a “Materiality Determination Group” (MDG)

Pre-designate a small group that can convene fast and make the call. Typical membership:

• General Counsel or delegated securities counsel
• CFO or delegate with financial impact authority
• CISO (or incident commander)
• Controller/finance leader for quantification discipline
• Head of IR/Comms for message coordination

Define:

• quorum rules,
• decision authority (who can declare “material”),
• documentation requirements,
• outside counsel engagement triggers.

Deliverable: MDG charter + call tree + meeting template. (SEC Release No. 33-11216)

Step 3: Use a materiality worksheet that forces business-impact thinking

Build a structured worksheet that captures:

• Nature: what happened (access, disruption, encryption, data integrity issue).
• Scope: affected systems, business lines, geographies, and whether third parties are involved.
• Timing: when it started, when detected, and major milestones (containment, recovery).
• Impact (actual or reasonably likely): operational disruption, customer impacts, legal/regulatory exposure, remediation costs, and financial reporting implications.

Keep it decision-oriented. The point is to support a materiality determination and disclosure language, not to recreate a forensic report. (SEC Release No. 33-11216)

Deliverable: Item 1.05 Materiality Worksheet (version-controlled, time-stamped).

Step 4: Start drafting before the determination, but control what can be said

Once an incident is escalated to MDG review, begin an “8-K drafting track” in parallel:

• Create a draft shell with only confirmed facts.
• Maintain a “known / unknown / next validation step” table.
• Route drafts through securities counsel and the disclosure owner.

This reduces cycle time after materiality is determined, which is when the four-business-day filing clock starts. (SEC Release No. 33-11216)

Deliverable: Pre-approved Item 1.05 drafting template and review workflow.

Step 5: Make, record, and operationalize the materiality determination

At the MDG meeting:

• capture the facts relied on,
• record the determination time and basis,
• list open items that could change the assessment,
• assign an owner for ongoing updates.

If the determination is “material,” trigger:

• EDGAR filing workflow,
• board notification path (as defined internally),
• investor relations and communications coordination,
• incident communications alignment (avoid conflicting statements).

Deliverable: Materiality Determination Memo and 8-K Filing Task List. (SEC Release No. 33-11216)

Step 6: Draft Item 1.05 disclosure content with “truthful, bounded specificity”

Your Item 1.05 narrative must cover:

• material aspects of nature, scope, and timing, and
• material impact or reasonably likely material impact. (SEC Release No. 33-11216)

Drafting rules you can enforce operationally:

• Use plain, non-speculative language.
• Avoid attributing cause or actor unless confirmed.
• Describe impacts in terms of business effects and remediation posture.
• Ensure consistency with customer notices, insurer statements, and law enforcement communications.

Deliverable: Final Item 1.05 text with counsel sign-off trail. (SEC Release No. 33-11216)

Step 7: Manage third-party dependencies explicitly

Many “your” incidents originate at a third party. Your runbook should require:

• contract clauses supporting rapid incident notification and cooperation,
• a data request checklist for the third party (logs, scope statements, containment actions),
• a timeline log of third-party statements received (and their confidence level).

This is where a third-party risk management program meets disclosure controls. Daydream can help you centralize third-party incident intake, evidence capture, and escalation tasks so Legal and Security are working from the same record during the disclosure window.

Deliverable: Third-party cyber incident evidence packet linked to the MDG worksheet.

Required evidence and artifacts to retain

Retain artifacts as if you will need to reconstruct the decision under scrutiny:

• Incident timeline (detection, containment, recovery milestones)
• MDG call/meeting invites, attendance, and minutes
• Materiality worksheet versions with timestamps
• Materiality determination memo and approval trail
• Draft history of Item 1.05 language and reviewer comments
• Source documents for key statements (forensic summaries, third-party notifications, system status reports)
• Communications alignment record (IR/Comms sign-off, customer notices if any)
• Board/committee briefing materials if used
• Evidence of filing submission and acceptance

Common exam/audit questions and hangups

Expect auditors, internal audit, or external counsel to probe:

• “Show me how you define and document the moment of materiality determination.” (SEC Release No. 33-11216)
• “Who has authority to decide materiality, and what happens if they are unavailable?”
• “How do you ensure Security doesn’t ‘sit on’ a borderline incident?”
• “How do you validate statements about scope and impact before filing?”
• “How do third-party incidents get escalated and evidenced?”
• “How do you prevent inconsistent disclosures across press releases, customer communications, and SEC filings?”

Frequent implementation mistakes (and how to avoid them)

1. No recorded determination point. Teams discuss materiality informally over days with no clear determination time.
   Fix: require a dated determination memo (even if preliminary) and a workflow state change in your GRC/IR tooling. (SEC Release No. 33-11216)

2. Security owns the decision alone. Technical severity does not equal material impact.
   Fix: MDG membership must include finance and securities counsel; require sign-off before closing the determination. (SEC Release No. 33-11216)

3. Overly detailed claims based on early forensics. Later corrections create credibility risk.
   Fix: draft with bounded specificity; maintain a “confirmed facts only” rule for actor, root cause, and exfiltration volume unless verified. (SEC Release No. 33-11216)

4. Third-party incident blind spots. You learn about the issue late or cannot validate scope.
   Fix: strengthen third-party notification and cooperation clauses; pre-build a third-party incident evidence checklist and escalation triggers.

5. Disclosure process exists on paper only. The first real test is a crisis.
   Fix: run tabletop exercises that include Legal/Finance/IR and an 8-K drafting drill using your template. (SEC Release No. 33-11216)

Enforcement context and risk implications

No public enforcement cases are provided in the supplied sources. Even without case citations, your risk is straightforward: late filing, inconsistent statements, or a weakly supported materiality determination can create regulatory scrutiny and investor litigation exposure. The control goal is a defensible process tied directly to the SEC’s required disclosure elements and timeline. (SEC Release No. 33-11216)

Practical 30/60/90-day execution plan

Because the SEC deadline is four business days from determination, focus on workflow readiness over perfect documentation. (SEC Release No. 33-11216)

First 30 days (get to “runnable”)

• Appoint the MDG, define authority, and publish the call tree.
• Ship v1 of the materiality worksheet and determination memo template.
• Build the Item 1.05 draft shell and review routing (Legal, CFO, IR/Comms).
• Update incident response runbooks with escalation triggers into the MDG.

Days 31–60 (make it real)

• Run a tabletop that ends with a mock materiality determination and mock Item 1.05 draft.
• Add third-party incident intake requirements and evidence checklist to TP risk processes.
• Align Communications: define who approves external statements during MDG review.
• Configure tooling (ticketing/GRC) to time-stamp determination and preserve draft history.

Days 61–90 (harden and prove control)

• Train alternates for each MDG role; document coverage for vacations and travel.
• Add internal audit validation steps: sampling escalations, checking completeness of evidence packets.
• Tune thresholds based on tabletop lessons: remove noisy triggers, add missing ones.
• Create a standing relationship/process with outside counsel for rapid drafting support.

Frequently Asked Questions

Does the four-business-day clock start when the incident happens or when we discover it?

It starts when the registrant determines the incident is material, not at occurrence or initial detection. Your process must clearly document when that determination is made. (SEC Release No. 33-11216)

What has to be included in the Item 1.05 disclosure?

Describe the material aspects of the incident’s nature, scope, and timing, plus the material impact or reasonably likely material impact on the company. Keep statements accurate and based on confirmed information. (SEC Release No. 33-11216)

Who should decide materiality for cybersecurity incidents?

Put the decision with a cross-functional group that includes securities counsel and finance, informed by the CISO/incident commander’s facts. Document the decision and the basis for it each time. (SEC Release No. 33-11216)

What if the incident is at a third party and we don’t have all the details?

Escalate anyway if the business impact could be material. Collect and preserve third-party notifications, cooperation records, and your internal impact assessment, then draft disclosures that stay within confirmed facts. (SEC Release No. 33-11216)

Can we delay disclosure to avoid tipping off attackers or to protect an investigation?

The rule provides a limited delay when the U.S. Attorney General determines immediate disclosure would pose a substantial risk to national security or public safety. Treat this as a formal pathway, not an informal decision. (SEC Release No. 33-11216)

What evidence will auditors ask for to prove we complied?

Expect requests for the time-stamped materiality determination record, decision participants, incident timeline, drafting history, and source documents supporting statements about scope and impact. Retain these in a single case file. (SEC Release No. 33-11216)