· BreachTrigger
SEC 8-K Item 1.05 Cybersecurity Disclosure: What It Is and What Companies Must Report
Public companies face a new reality: major cybersecurity incidents are no longer optional disclosures to shareholders. Since December 2023, the SEC has required material cybersecurity breaches to be reported on Form 8-K Item 1.05 within four business days—or face potential enforcement action.
This guide breaks down Item 1.05 in plain English: what qualifies as a required disclosure, what companies must include, timing rules, permitted delays, and how to stay compliant.
TL;DR
SEC 8-K Item 1.05 requires public companies to disclose material cybersecurity incidents within four business days. "Material" means incidents that a reasonable investor would find important when making investment decisions—typically ransomware attacks, data exfiltration affecting customer data, system shutdowns, or breaches affecting confidentiality or integrity of personal data. Companies must include a description of the incident, its impact, remediation steps, and material costs. Delays are only permitted if the company reasonably believes disclosure would harm national security or law enforcement investigations. Failure to disclose can trigger SEC enforcement actions, fines, officer sanctions, and reputational damage.
What Is SEC 8-K Item 1.05 Cybersecurity Disclosure?
Item 1.05 is a mandatory disclosure rule added to Form 8-K (Current Report) by the SEC in December 2023. Form 8-K itself is a filing that public companies must submit within four business days of a "material event"—major corporate developments like mergers, leadership changes, bankruptcy, or (now) serious cybersecurity incidents.
Item 1.05 specifically addresses "Costs Associated with Exit or Disposal Activities" and cybersecurity incidents triggering material costs or operational impact. When a breach or cyberattack causes material financial or operational damage, companies must report it via Form 8-K Item 1.05.
The rule applies to all companies subject to SEC reporting requirements—roughly 4,000+ public companies in the U.S. It does not apply to private companies, though state-level breach notification laws and cyber-insurance requirements may impose similar obligations.
When Must Companies File an 8-K for Cybersecurity Incidents?
The triggering event is materiality. If a cybersecurity incident is "material"—meaning a reasonable investor would consider it important—the company must file within four business days.
The SEC does not define a single bright-line threshold (e.g., "losses over $X million" or "more than Y records affected"). Instead, companies must apply a qualitative and quantitative test:
- Quantitative: Financial impact (direct costs, recovery, remediation, regulatory fines, ransom).
- Qualitative: Impact on business operations, customer trust, regulatory compliance, intellectual property, or competitive position.
Examples of incidents typically considered material:
- Ransomware attacks preventing operations for 24+ hours or requiring significant ransom/recovery spending.
- Data breaches affecting thousands of customer or employee records (personal data like SSN, financial info, health records).
- Exfiltration of trade secrets or confidential business information.
- System shutdowns affecting critical business functions (e.g., production, customer-facing services).
- Regulatory consequences: Loss of license, state AG involvement, or HIPAA/PCI violations.
If a company is uncertain about materiality, the SEC expects it to err on the side of disclosure. Waiting to see if the breach "gets bigger" is not a defense for late filing.
What Specific Information Must Be Disclosed Under Item 1.05?
The SEC rule requires companies to disclose:
- Date and nature of the incident: When did it occur? What type of attack (ransomware, malware, social engineering, insider threat)?
- Impact and scope: What systems or data were affected? How many records or users?
- Mitigation and remediation: What immediate steps were taken? Has the threat been contained?
- Estimated financial impact: Direct costs (recovery, forensics, notification), indirect costs (downtime, lost revenue), insurance proceeds.
- Regulatory or legal consequences: Are there pending regulatory investigations, state AG inquiries, or lawsuits?
- Ongoing status: Is the investigation still ongoing? Are new details expected?
Companies do not need to disclose:
- Hypothetical or speculative damages.
- Details that could compromise law enforcement investigations (if a delay exception is in place).
- Specific technical vulnerabilities (unless already public).
- Customer names or individual account details (aggregate impact is sufficient).
The disclosure should be specific enough for an investor to understand the risk, but not so detailed as to provide a "how-to" for copying the attack.
What Qualifies as a "Material" Cybersecurity Incident?
Materiality is the core question. The SEC uses a reasonable investor standard: Would this information influence your decision to buy, hold, or sell the stock?
Factors the SEC considers material:
- Confidentiality breach: Unauthorized access to or exfiltration of personal, financial, or proprietary data (10,000+ records often tips the scale).
- Integrity compromise: Modification or deletion of critical systems, inventory, or records (even if data wasn't exfiltrated).
- Availability loss: Ransomware or DoS attacks shutting down services for 24+ hours; critical business operations impaired.
- Financial impact: Costs exceeding 5% of annual revenue or $10M+ (these are guidelines, not rules).
- Brand/market impact: Public disclosure of breach, customer churn risk, loss of contracts.
- Regulatory consequences: Triggering state AG investigations, HIPAA fines, PCI non-compliance, or industry-specific penalties.
Edge cases that may NOT be material:
- Phishing attempts blocked by email filters (no breach occurred).
- Isolated compromised employee credentials (if properly isolated and rotated).
- Third-party vendor incidents not affecting your systems or data.
- Low-volume data exposure (e.g., 50 customer records in a 500,000-customer base).
Best practice: If there's doubt, document the materiality analysis internally and consider disclosing. The SEC views non-disclosure of a material incident more harshly than premature or cautious disclosure.
What Are the Timing Requirements for 8-K Item 1.05 Filings?
Four business days is the hard deadline, measured from the date the incident was discovered (or should have been discovered with reasonable diligence).
Timeline breakdown:
- Day 0 (incident occurs or is discovered): Investigation begins; incident response team activated.
- Days 1–3: Gather facts, assess materiality, estimate financial impact, draft disclosure, legal review.
- Day 4: File Form 8-K Item 1.05 with SEC via EDGAR.
Important nuances:
- Weekends and holidays don't count: The four-day clock counts only business days (Mon–Fri, excluding federal holidays).
- Discovery date matters: If a company fails to discover an incident promptly due to poor monitoring, the SEC will still measure the deadline from when the company should have discovered it.
- Preliminary information is acceptable: Companies don't need to wait for a complete forensic report. Early 8-K filings often say "investigation ongoing; details will be updated in amended 8-K" (see amendments below).
Can Companies Get a Delay Exception for 8-K Cybersecurity Disclosures?
Yes, but only in narrow circumstances. The SEC allows a confidential treatment request or delay if the company can show that disclosure would:
- Jeopardize an active law enforcement investigation (FBI, Secret Service, state AG) or national security.
- Compromise attorney-client privilege or attorney work-product protection.
The company must notify the SEC and law enforcement in writing, explaining the specific reason for delay. The delay is not indefinite—once the threat clears or the investigation concludes, the company must file without further delay.
Common delay scenarios:
- FBI is actively investigating the attacker; premature disclosure could tip off the threat actor.
- Ransom negotiation is ongoing; disclosure could complicate the negotiation or tip off the attacker.
- Classified government systems were affected.
Delays are NOT permitted for:
- Waiting for cyber-insurance claim approval.
- Waiting to assess full financial impact.
- Waiting for a complete forensic report.
- Reputational concerns or customer notification in progress.
If a company incorrectly asserts a delay and the SEC disagrees, the company faces enforcement risk for late filing.
What Happens if a Company Fails to Disclose Under Item 1.05?
Non-compliance carries significant penalties:
SEC Enforcement Actions:
- Civil penalties: Up to $308,922 per violation (as of 2026; adjusted annually).
- Officer sanctions: SEC can bar executives from serving as officers or directors.
- Disgorgement: Recovery of ill-gotten gains if executives traded on non-public knowledge of the breach.
- Cease-and-desist orders: Prohibition on violating disclosure rules in the future.
Secondary Consequences:
- Shareholder litigation: Investors can file securities class actions arguing they were deprived of material information.
- Stock price impact: Once the breach becomes public (via third-party reporting, regulatory action, or forensic findings), stock price often drops 10–30%.
- Credit rating downgrade: Rating agencies treat undisclosed breaches as governance failures.
- Cyber-insurance denial: Insurers may deny claims if the insured failed to disclose a prior breach to the SEC.
- Customer and vendor trust: Clients, partners, and employees lose confidence in the company's governance and security posture.
Real-world example: In 2024, the SEC issued cease-and-desist orders to two publicly traded companies for failing to disclose material ransomware incidents within the required four-day window. One company faced a $10M+ fine and mandatory compliance monitoring.
How Can Companies Stay Compliant with Item 1.05?
1. Establish a Cyber Incident Response Plan
- Define materiality triggers (quantitative and qualitative thresholds).
- Assign roles: IR team, legal counsel, CFO (for cost estimation), investor relations.
- Create a notification workflow so leadership is informed within hours of discovery.
2. Monitor and Detect Incidents Quickly
- Deploy SIEM, EDR, and intrusion detection tools to catch breaches fast.
- Conduct regular penetration testing and tabletop exercises.
- Train employees to report suspicious activity immediately.
3. Assess Materiality Within 24–48 Hours
- Gather preliminary facts: What systems were hit? What data? How many records?
- Estimate financial impact (direct recovery costs, potential regulatory fines, ransom).
- Consult legal counsel: Is this material? Does a delay exception apply?
4. Draft the 8-K Item 1.05 Filing
- Use plain language; avoid jargon.
- Include the incident date, type, scope, and impact.
- Describe immediate mitigation (patches, network isolation, credential rotation).
- Estimate financial costs; note if insurance may cover some costs.
- Flag if the investigation is ongoing and an amended 8-K will follow.
For guidance on what past companies disclosed, see our post on 8-K Cybersecurity Incident Disclosure Examples 2026.
5. File Within Four Business Days
- Coordinate with Investor Relations to file via EDGAR.
- Maintain a log of disclosure dates for compliance audits.
6. Update Shareholders if Facts Change
- If forensic findings reveal a larger breach than originally disclosed, file an amended 8-K (Form 8-K/A).
- If costs are higher than estimated, disclose the update.
- The SEC expects companies to correct material misstatements promptly.
7. Communicate Externally (Separate from SEC Filing)
- SEC filing is for investors; customer notification is required by state law (not SEC rule).
- Time your customer breach notification letter to coincide with or follow the 8-K filing.
- For employee data breaches, also check your state's employment law requirements.
For details on the SEC's four-business-day rule in context, see SEC Cybersecurity Disclosure Rules: Four Business Days Explained.
Coordination with Other Compliance Requirements
Item 1.05 disclosure does not replace other reporting obligations:
- State breach notification laws: Most states require notification of affected customers within 30–60 days (varies by state).
- HIPAA breach notification: Healthcare covered entities must notify affected individuals within 60 days.
- PCI DSS incidents: Payment processors must report to acquiring banks and card networks.
- Cyber-insurance claims: Insureds must notify insurers as required by policy (typically within 30 days).
The SEC filing often happens first (4 days), followed by customer and regulatory notifications.
For multi-state or industry-specific compliance, consider using tools or services that monitor both SEC requirements and state-level rules. If your company operates in HR/employment sectors, cross-reference HR Compliance Watch for state-specific employee data breach rules.
Legal Disclaimer
This post is informational only and does not constitute legal, financial, or investment advice. Materiality determinations are fact-specific and require consultation with qualified legal counsel and your disclosure counsel. Always verify disclosure requirements against current SEC guidance, the most recent Form 8-K instructions, and applicable state laws. The SEC's final rule on Item 1.05 and subsequent interpretations are available at sec.gov. If your company has experienced a cybersecurity incident, consult a securities attorney immediately.
Ready to Stay on Top of 8-K Filings?
Manual monitoring of SEC filings is slow and error-prone. BreachTrigger alerts your IR, cyber, and MSSP teams to material 8-K cybersecurity disclosures filed by competitors and peers in real time—so you can benchmark disclosure practices, stay informed of industry threats, and catch regulatory or market-moving incidents before they hit the news.
Learn how IR professionals and cyber insurance underwriters use BreachTrigger to monitor 8-K Item 1.05 filings: Explore BreachTrigger.
Last updated: June 28, 2026. SEC guidance referenced as of the 2023 final rule on Form 8-K Item 1.05 cybersecurity disclosure (effective December 2023).