The SEC's cybersecurity incident disclosure rule (Release No. 33-11216) took effect on December 18, 2023, for large filers and June 15, 2024, for smaller reporting companies. From December 18, 2023, through January 19, 2025, 54 companies filed 55 cybersecurity 8-Ks; one filer (Halliburton) disclosed twice. The first year produced data that the SEC's Division of Corporation Finance used to refine practice via two staff statements in May and June 2024, and a four-company enforcement sweep settled in October 2024. Year two is now defined less by the four-business-day clock and more by the choice of which item number to file under.
What does Item 1.05 actually require?
Item 1.05 of Form 8-K requires registrants to disclose, within four business days of determining that a cybersecurity incident is material, "the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations." The trigger is the materiality determination, not the discovery of the incident itself, and the determination must be made "without unreasonable delay." Foreign private issuers report comparable information on Form 6-K. The rule also added Item 106 of Regulation S-K, requiring annual disclosure of cyber risk management, strategy, and governance in 10-K filings.
Why did the SEC split disclosures into 1.05 and 8.01?
On May 21, 2024, Director of Corporation Finance Erik Gerding issued a statement noting that registrants were filing Item 1.05 disclosures for incidents they had not yet determined to be material, or that they had determined were not material. Gerding wrote that "if a company chooses to disclose a cybersecurity incident for which it has not yet made a materiality determination, or which it determined was not material, the Division encourages the company to disclose that cybersecurity incident under a different item of Form 8-K (for example, Item 8.01)." The market complied. Of 41 cyber incident 8-Ks filed between April 2024 and January 19, 2025, 26 used Item 8.01 (Other Events) and 15 used Item 1.05.
SEC 8-K cyber filings by item number (Dec 2023 - Jan 2025)
+----------------+----------+----------+-------+
| Period | Item 1.05 | Item 8.01 | Total |
+----------------+----------+----------+-------+
| Dec '23-Apr'24 | 14 | 0 | 14 |
| May '24-Jan'25 | 15 | 26 | 41 |
| Total | 29 | 26 | 55 |
+----------------+----------+----------+-------+
Source: SEC EDGAR, aggregated by Debevoise & Plimpton (Feb 2025)
What did the May-July 2024 sweep find?
Between May 24 and July 26, 2024, the Division of Corporation Finance issued 14 comment letters in a non-public sweep of Item 1.05 filings. The letters focused on three concerns: filings made before a materiality determination; filings using Item 1.05 for incidents the registrant later concluded were not material; and disclosures missing the four required elements (nature, scope, timing, and material impact). Two of those letters became publicly available through normal EDGAR correspondence release after registrant requests for confidential treatment expired. The sweep did not result in penalties but established the comment template for fiscal 2025 reviews.
What did the October 2024 enforcement actions cost?
On October 22, 2024, the SEC announced settled charges against four registrants — Unisys, Avaya, Check Point Software, and Mimecast — for "making materially misleading disclosures regarding cybersecurity risks and intrusions." All four had been affected by the SolarWinds Orion compromise disclosed in December 2020. The aggregate civil penalty was $7 million: Unisys $4 million, Avaya $1 million, Check Point $995,000, Mimecast $990,000. The SEC found that each company had downplayed the scope of intrusion in 10-K filings, with Unisys describing the incidents as "hypothetical" and Avaya disclosing only "limited" exfiltration when the actor had accessed roughly 250 cloud mailbox files. The cases were brought under Section 17(a)(2) and (3) of the Securities Act, not the new Item 1.05 rule, but the message about specificity carried.
How is the SolarWinds dismissal affecting Year Two practice?
On July 18, 2024, Judge Paul Engelmayer of the Southern District of New York dismissed most of the SEC's complaint against SolarWinds and its CISO Timothy Brown, leaving only the claim that statements on the company's public Security Statement web page were false. On November 20, 2025, the SEC voluntarily dismissed the remaining claim with prejudice. Practitioners read the combined outcome as a constraint on the SEC's ability to use Section 13(b)(2)(B) internal accounting controls to police cybersecurity, and as an indication that future enforcement will target specific statements rather than systemic posture. The practical effect on 8-K drafting is more specific incident descriptions and less reliance on boilerplate risk factor caveats.
What should registrants do in 2026?
Build a materiality determination workflow that produces a documented record. The four-business-day clock starts at determination, but the determination itself must be made "without unreasonable delay" — and SEC comment letters have probed whether registrants delayed determinations to extend the disclosure window. Distinguish two filing tracks in your incident response plan: Item 1.05 for material incidents, Item 8.01 for incidents the company elects to disclose voluntarily. Calibrate language to avoid "hypothetical" framing when the company already knows an incident occurred. For ransomware events, treat the unauthorized access component separately from the encryption or extortion component when assessing materiality. And review 10-K Item 106 disclosures against the actual security program; the October 2024 cases punished gaps between disclosed governance and actual governance.
How Safeguard Helps
Safeguard's incident workflow stamps every detection with the metadata Item 1.05 requires: the affected systems, the data categories, the third-party software in the dependency chain, the SBOM components with active CVEs, and a draft "nature, scope, and timing" narrative produced by Griffin AI from the underlying telemetry. The platform tracks the materiality determination clock from detection to decision, producing the auditable timestamp record SEC sweeps probe. TPRM scoring continuously assesses whether upstream SaaS vendors meet the security commitments disclosed in 10-K Item 106 filings, flagging drift before it becomes a misleading-disclosure exposure. Pre-filed JSON payloads aligned to EDGAR Item 1.05 and Item 8.01 templates let counsel finalize text rather than gather facts during the four-day window.