SEC Cybersecurity Incident Disclosure - Item 1.05 Form 8-K

To meet the sec cybersecurity incident disclosure - item 1.05 form 8-k requirement, you must (1) run a defensible materiality determination process for cybersecurity incidents, and (2) file Form 8-K, Item 1.05 within four business days after you determine the incident is material ¹. Build disclosure controls so cybersecurity facts reach the disclosure decision-makers fast enough to meet the clock.

Key takeaways:

• The deadline starts after the materiality determination, not after initial detection ¹.
• Your 8-K must cover the incident’s nature, scope, timing, and material impact or reasonably likely material impact ¹.
• SEC enforcement has already targeted cyber disclosure controls failures, not only late or missing disclosures ².

Item 1.05 of Form 8-K is an operational deadline problem disguised as a disclosure rule. The SEC requires a registrant to disclose a material cybersecurity incident within four business days after determining the incident is material, and the disclosure must describe the material aspects of the incident’s nature, scope, and timing plus the material impact (or reasonably likely material impact) on the registrant ¹. That means your incident response program must feed your disclosure controls program.

CCOs and GRC leads usually don’t “own” incident response or SEC reporting end-to-end. You still own the control design that connects the two: escalation triggers, decision rights, documentation, and repeatable evidence. The biggest failure mode is not bad intent; it’s fragmentation. Security has partial facts, legal gets them late, finance can’t quantify impacts quickly, and the disclosure committee makes decisions without full visibility.

This page translates the requirement into a practical operating model: who decides materiality, what minimum facts must be gathered, how to document the decision, and what to retain for audit/exam readiness. Where useful, it ties the rule to enforcement expectations illustrated in the SEC’s action involving R.R. Donnelley ².

Regulatory text

What the rule says (operator-grade): A registrant must disclose any cybersecurity incident it determines to be material on Item 1.05 of Form 8-K within four business days after that determination ¹. The disclosure must describe the incident’s material aspects of nature, scope, and timing, and the material impact or reasonably likely material impact on the registrant ¹.

What you must be able to do in practice:

1. Detect and triage cybersecurity incidents with enough rigor to support a materiality analysis.
2. Reach a documented materiality determination through your disclosure controls.
3. Draft and file an Item 1.05 8-K within the required timeline after the determination ¹.
4. Prove your disclosure controls are designed so senior management receives relevant incident information for timely disclosure decisions ².

Who it applies to

Entity scope: Exchange Act registrants that file reports under Section 13(a) or 15(d), including domestic issuers and foreign private issuers, as reflected in the SEC’s cybersecurity disclosure framework under Regulation S-K Item 106 ¹.

Operational context (where teams get tripped up):

• Incidents in corporate IT, OT, cloud environments, endpoints, and third-party hosted environments.
• Incidents at third parties that create a material impact (or reasonably likely material impact) to the registrant’s operations, financial condition, or reporting obligations. The rule is about the registrant’s disclosure; you still need contractual and operational pathways to obtain facts from third parties fast enough to assess materiality.

Plain-English interpretation of the requirement

You need a “disclose or explain” decision trail for every significant cybersecurity incident:

• If you determine it is material, you must file Item 1.05 within four business days after that determination ¹.
• If you determine it is not material, you should still retain documentation that shows who reviewed what facts, when, and why the incident did not rise to materiality. That documentation is part of having disclosure controls that work under pressure ².

The SEC has signaled it will look closely at whether disclosure controls provide decision-makers “full visibility” into incident information needed for materiality assessment ².

What you actually need to do (step-by-step)

Step 1: Define the trigger set that forces a disclosure workflow

Create written triggers that require security to open a “SEC disclosure track” parallel to technical response. Avoid vague language like “significant incident.” Use operational thresholds you can detect and route, such as:

• Confirmed ransomware deployment.
• Confirmed data exfiltration indicators.
• Widespread service disruption or extended outage.
• Credible threat actor claim with supporting evidence.

Your triggers are internal; the SEC text does not prescribe the thresholds. The point is speed and consistency so the right people get the facts in time to decide ¹.

Step 2: Assign decision rights and a single accountable owner for “materiality determination”

Materiality is a disclosure determination. In most issuers, the practical model is:

• Security: owns technical fact development (what happened, where, when, what data/systems).
• Legal/SEC reporting: owns disclosure analysis and drafting.
• Finance: owns potential quantitative impact inputs.
• Disclosure committee (or equivalent): makes the materiality determination; document who has authority.

Write this into your disclosure controls and procedures so there is no ambiguity during an incident ².

Step 3: Standardize the minimum fact set required for a materiality memo

Build a one-page incident disclosure intake that security must complete and update on a cadence during the first days of an incident. Minimum fields should include:

• Nature: ransomware, business email compromise, insider, cloud misconfiguration, etc.
• Scope: affected business units, systems, geographies, and third parties involved.
• Timing: first known occurrence, detection time, containment milestones.
• Data: what categories may be involved; known/estimated volume; affected populations.
• Business impact: downtime, customer impact, contractual impacts, safety/operational impacts.
• Confidence levels: known vs suspected.

The SEC expects disclosures to cover nature, scope, timing, and impact ¹. Enforcement history shows the SEC can focus on whether those assessing materiality had visibility into scope details such as exfiltration and affected parties ².

Step 4: Run a timed “materiality huddle” process, then document the determination

Operationalize a repeatable cadence:

1. Initial huddle once a trigger hits: security, legal, finance, IR/comms, and the disclosure committee chair.
2. Daily updates until a determination is made.
3. Materiality determination memo (even if short) capturing:
   • Facts considered and sources.
   • Key uncertainties and what is being done to resolve them.
   • Determination outcome and approvers.
   • Timestamp of the determination (this starts the filing clock) ¹.

Step 5: Pre-build the Item 1.05 drafting workflow

You will not draft cleanly under live-fire unless you pre-wire it:

• Maintain an Item 1.05 template that maps directly to the required disclosure elements ¹.
• Decide who drafts, who reviews, and who signs off.
• Define a “no-surprises” coordination process with incident response communications so public statements do not conflict with the 8-K narrative.

Step 6: Test the control with a tabletop

Run a tabletop that starts with a realistic scenario and ends with a mock materiality determination and a mock Item 1.05 draft. The goal is not perfect prose. The goal is timing, handoffs, and fact quality under pressure.

If you need a system to keep the workflow audit-ready, Daydream can track the control steps, owners, timestamps, and evidence packets so you can show how the decision was made and what information was available at the time.

Required evidence and artifacts to retain

Retain artifacts in a single matter folder per incident, with access controls and legal privilege considerations coordinated with counsel:

Disclosure controls evidence

• Cyber incident escalation SOP showing triggers, recipients, and timelines.
• Disclosure committee charter or documented decision authority.
• Training records for security and legal on escalation and intake.

Incident-specific evidence

• Incident log (security tickets, timeline, major actions).
• Completed “SEC disclosure intake” forms and updates.
• Materiality determination memo (including non-material determinations).
• Drafts and final filed Form 8-K Item 1.05 package and review comments.
• Communications showing what senior management received and when, since SEC scrutiny can focus on whether controls delivered relevant info to senior leadership ².

Public enforcement cases

In the Matter of R.R. Donnelley & Sons Company (Release No. 34-100365)

Why compliance teams care: The SEC charged R.R. Donnelley with failing to maintain disclosure controls and procedures related to a cybersecurity incident ². The SEC’s press release framed the case as part of its focus on robust disclosure controls to support timely and accurate disclosure to investors ³.

Operational lesson you can apply immediately: Treat “visibility into scope” as a control requirement. The SEC described disclosure-controls failures where staff responsible for assessing materiality did not have full visibility into incident information such as scope of exfiltration and affected parties ². Your intake form and escalation workflow should force those fields to be owned, updated, and reviewed.

Common exam/audit questions and hangups

• “Show me your written disclosure controls and procedures for cybersecurity incidents.” Auditors will want the cyber-specific bridge into SEC reporting ².
• “How do you define and document the materiality determination?” Expect scrutiny of timestamps and approvals ¹.
• “How does security ensure senior management receives relevant details quickly?” The R.R. Donnelley action points directly at this control design expectation ².
• “Show incidents you deemed non-material and your rationale.” If your log only shows disclosed incidents, it looks like you lack a complete assessment process.

Frequent implementation mistakes (and how to avoid them)

1. No clear “start line” for the four-business-day clock. Fix: define “materiality determination” authority and require a dated memo ¹.
2. Security reports “an incident happened” but cannot report scope. Fix: require fields for exfiltration indicators, affected systems, and affected parties; update daily ².
3. Disclosure committee meets too late. Fix: make triggers automatic and calendar-based. If ransomware is confirmed, the committee gets paged.
4. Uncontrolled communications. Fix: tie external communications review into the same workflow as the Item 1.05 draft so disclosures stay consistent.
5. No evidence packet. Fix: standardize a folder structure and retention checklist per incident. Daydream can enforce the checklist and preserve immutable timestamps.

30/60/90-day execution plan

Days 0–30: Put the minimum viable controls in place

• Name the cyber disclosure owner (often Legal/SEC reporting) and a security counterpart.
• Draft escalation triggers and a one-page incident disclosure intake.
• Publish a materiality huddle SOP and a decision memo template.
• Inventory who must be on the call list (security, legal, finance, comms, disclosure committee).

Days 31–60: Make it repeatable and testable

• Integrate triggers into security tooling/workflows (ticket categories, severity mapping, paging).
• Train security incident commanders on the intake fields and update cadence.
• Run a tabletop that ends with a mock Item 1.05 narrative aligned to the required elements ¹.

Days 61–90: Audit-proof it

• Stand up a formal evidence retention checklist and repository controls.
• Add metrics that do not require external citations: time from trigger to huddle, time to first complete intake, time to determination.
• Perform a retrospective on the tabletop and revise triggers, templates, and decision rights.
• If you need durable workflow governance, configure Daydream to assign tasks, capture approvals, and keep evidence organized incident-by-incident.

Frequently Asked Questions

When does the four-business-day deadline start?

It starts after you determine the cybersecurity incident is material, not at detection or containment ¹. Your controls must timestamp that determination and preserve who approved it.

What must we include in the Item 1.05 disclosure?

The disclosure must describe the incident’s material aspects of nature, scope, and timing, plus the material impact or reasonably likely material impact on the registrant ¹. Keep the draft anchored to those required elements.

Do we need to disclose every ransomware event?

The rule requires disclosure of incidents you determine are material ¹. You still need a documented materiality assessment process for ransomware events because they commonly trigger the disclosure workflow.

How do we handle incomplete facts within the deadline?

Build your workflow to document known facts, key uncertainties, and an update plan during the materiality process. The requirement focuses on disclosing material aspects once materiality is determined and filing on time after that determination ¹.

What will the SEC focus on besides the timing of the 8-K?

Expect scrutiny of disclosure controls and whether senior management and materiality assessors had full visibility into relevant incident information ². The SEC has publicly emphasized disclosure controls in this context ³.

What evidence should we keep if we decide an incident is not material?

Keep the incident intake, the materiality memo with rationale, the approver list, and communications showing what information was reviewed. These artifacts help demonstrate your disclosure controls functioned and the decision was governed ².

Related compliance topics

• 2025 SEC Marketing Rule Examination Focus Areas
• Access and identity controls
• Access Control (AC)
• Access control and identity discipline
• Access control management

Footnotes

1. 17 CFR 229.106, 2023

2. Release No. 34-100365, 2024

3. SEC Press Release 2024-76, 2024