up:: Doing the Work MOC
SEC Cyber Disclosure & Materiality
The SEC cybersecurity disclosure rules are a mandatory federal securities regime that requires every U.S. public company to disclose material cybersecurity incidents on a Form 8-K and to describe how it manages cybersecurity risk in its annual 10-K. Adopted on July 26, 2023, the rules live in two places: Form 8-K Item 1.05, a current report filed within four business days of the company determining that an incident is material, and Regulation S-K Item 106, an annual disclosure of the company’s cybersecurity risk management, strategy, and governance that appears in the Form 10-K. The rules name no specific risks and set no dollar threshold. They import the ordinary securities-law materiality standard and leave it to the company, with its lawyers, to decide what crosses the line.
This note is general education about a securities-disclosure rule, not legal advice. Whether any particular fact is material, or must be disclosed, is a determination a company makes with its own securities counsel. Nothing here tells you what to file.
The short version:
- Two obligations. Form 8-K Item 1.05 covers material cyber incidents; Regulation S-K Item 106 is the annual risk-management, strategy, and governance narrative in the 10-K.
- The 8-K is due within four business days, and the clock runs from the materiality determination, not from discovery of the incident. The determination itself has to be made “without unreasonable delay.”
- Materiality is the established securities-law standard from TSC Industries and Basic, what a reasonable investor would consider important, so an internal severity rating is an input to that call, never a substitute for it.
- The rule names no specific risks. Whether quantum-vulnerable cryptography and HNDL exposure of material data belongs in an Item 106 risk narrative is a materiality judgment a company reasons through with counsel, not a box the SEC pre-checked.
- The rules bind SEC registrants. Foreign private issuers use the parallel Form 6-K and Form 20-F Item 16K.
Think of it like a building code that says “disclose any material defect to a buyer” without listing every defect that could ever occur. The code sets the standard, material to a reasonable buyer, and leaves the owner and their engineer to decide whether a hairline crack in the foundation qualifies. A cracked footing nobody has assessed is the exposure, because the duty to evaluate it already existed even though the code never wrote the word “foundation.”
What do the SEC cybersecurity disclosure rules require?
They require two different things on two different clocks. The rules were adopted on July 26, 2023 as Release Nos. 33-11216 and 34-97989 and took effect on September 5, 2023, and they apply to companies that file periodic reports with the SEC under the Securities Exchange Act of 1934.
- A current report when an incident is material. Under Form 8-K Item 1.05, a company that determines a cybersecurity incident is material files an 8-K describing it, within four business days of that determination.
- An annual narrative regardless of any incident. Under Regulation S-K Item 106, every 10-K describes the company’s processes for managing cybersecurity risk, whether those risks are reasonably likely to materially affect the company, and how the board and management oversee them.
The regime is mandatory, not a voluntary framework or a certification. Non-compliance is an enforcement matter for the SEC. Domestic filers use Form 8-K and Form 10-K; foreign private issuers use the parallel Form 6-K for incident reporting and Form 20-F Item 16K for the annual disclosure. The rules superseded the SEC’s earlier 2011 staff guidance and 2018 interpretive release, which were guidance rather than codified line items.
Sources:
Source: U.S. Securities and Exchange Commission, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Final Rule, Release Nos. 33-11216; 34-97989 (adopted July 26, 2023; effective September 5, 2023), SEC final rule PDF. This is the authoritative primary source for the item text, timing, delay provision, and phase-in dates. SEC.gov blocks automated retrieval; confirm exact wording directly against this PDF before quoting it verbatim.
Source: SEC Press Release 2023-139, “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” (July 26, 2023), sec.gov/news/press-release/2023-139.
What is Form 8-K Item 1.05 and when is the filing due?
Form 8-K Item 1.05 is the current-report obligation for material cybersecurity incidents. When a company determines that a cybersecurity incident it experienced is material, Item 1.05 requires it to describe the material aspects of the nature, scope, and timing of the incident and the material impact or reasonably likely material impact on the company, including its financial condition and results of operations.
Three timing mechanics carry most of the weight, and companies get them wrong most often:
- Four business days, from the determination. The 8-K is due within four business days after the company determines the incident is material. The clock does not start when the incident is discovered. It starts when the materiality call is made.
- “Without unreasonable delay.” Because the clock runs from the determination, the rule guards against a company stalling that determination to avoid starting the clock. The materiality determination has to be made “without unreasonable delay” after discovery. This is the anti-sandbagging instruction, and it is where a slow escalation pipeline becomes a compliance problem rather than only a security one.
- Amendment for information not yet known. If required detail is not available at filing time, the company says so and then files an amendment within four business days after it later determines or obtains that information, again without unreasonable delay.
Two definitional points matter. A “cybersecurity incident” for Item 1.05 includes “a series of related unauthorized occurrences,” so a campaign of related intrusions is assessed as one incident rather than sliced into individually immaterial pieces. And disclosure may be delayed only in a narrow national-security path (below), not as a general extension.
Source: SEC Final Rule, Release Nos. 33-11216; 34-97989, SEC final rule PDF, for the Item 1.05 content, the four-business-day timing from the materiality determination, the without-unreasonable-delay instruction, and the amendment and aggregation rules.
Source: SEC Small Business Compliance Guide, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” sec.gov compliance guide.
A practitioner clarification worth knowing
In May 2024, the Director of the SEC’s Division of Corporation Finance stated that Item 1.05 is meant for material incidents only, and that a company choosing to disclose an incident it has not determined to be material should do so under a different Form 8-K item, such as Item 8.01 (Other Events), so an Item 1.05 filing keeps its meaning. This is staff interpretive guidance, not a rule amendment, and it should be cited and dated as such.
Source: SEC Division of Corporation Finance, Director Erik Gerding statements on Item 1.05 scope, May 21, 2024 and June 20, 2024, sec.gov Gerding statement.
What does Regulation S-K Item 106 require in the 10-K?
Regulation S-K Item 106 (codified at 17 CFR 229.106) is the annual disclosure of cybersecurity risk management, strategy, and governance that appears in every 10-K. It has three parts.
Item 106(a), the definitions, govern both Item 106 and Item 1.05. A cybersecurity incident is “an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant’s information systems that jeopardizes the confidentiality, integrity, or availability of a registrant’s information systems or any information residing therein.” A cybersecurity threat is the potential for such an occurrence, and information systems covers the electronic resources the company owns or uses.
Item 106(b), risk management and strategy, requires the company to describe its processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, in enough detail for a reasonable investor to understand them, and to address as applicable:
- (b)(1)(i) whether and how those processes are integrated into the company’s overall risk-management system.
- (b)(1)(ii) whether the company engages assessors, consultants, auditors, or other third parties in connection with those processes.
- (b)(1)(iii) whether the company has processes to oversee and identify material risks from cybersecurity threats tied to its use of any third-party service provider.
- (b)(2) whether any risks from cybersecurity threats, including from prior incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition, and if so, how.
Item 106(c), governance, requires the company to describe the board of directors’ oversight of cybersecurity risk, including any responsible committee, and management’s role in assessing and managing that risk, including which positions or committees are responsible, the relevant expertise of those people, how they are informed about and monitor incidents, and whether they report to the board.
One correction the rule invites: the final rule dropped the proposed requirement to disclose the cybersecurity expertise of board members. The expertise disclosure that survived is at the management level, under Item 106(c)(2)(i). Commentators frequently misremember the rule as requiring a “cyber expert on the board.” It does not.
Source: 17 CFR 229.106, Item 106 of Regulation S-K (definitions; (b) risk management and strategy; (c) governance), verified against the Cornell LII mirror of the eCFR; primary text at the eCFR. The Cornell LII text confirms the management-level expertise disclosure at (c)(2)(i) and the absence of a board-expertise line item.
The two obligations side by side
| Feature | Form 8-K Item 1.05 | Regulation S-K Item 106 |
|---|---|---|
| Where it lives | Current report (Form 8-K) | Annual report (Form 10-K) |
| Trigger | A cybersecurity incident determined to be material | Being a reporting company; filed every year |
| Timing | Within 4 business days of the materiality determination | Once per fiscal year in the 10-K |
| What it discloses | Nature, scope, timing, and material impact of the incident | Risk-management processes, whether cyber risk is reasonably likely to be material, and board and management governance |
| Orientation | Reactive, incident-specific | Forward-looking, program-level |
| Foreign private issuer form | Form 6-K | Form 20-F Item 16K |
What does “materiality” mean under these rules?
Materiality here is the established federal securities-law standard, not an internal risk score and not a bright-line dollar figure. The rule deliberately does not define materiality with a quantitative threshold. It relies on decades of Supreme Court doctrine:
- TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976): information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision.
- Basic Inc. v. Levinson, 485 U.S. 224 (1988): reaffirmed TSC and framed materiality as whether the information would have significantly altered the “total mix” of information available, and supplied a probability-times-magnitude approach for contingent or speculative events.
- Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011): confirmed there is no bright-line or statistical-significance test; the total-mix analysis governs.
The consequence for anyone reasoning about cyber risk: materiality is investor-facing, so it can diverge from an internal severity rating in both directions. An incident can be operationally severe yet immaterial to investors, or operationally modest yet material because of what it implies about the total mix of information. A high internal CVSS score or a P1 label is an input to the securities-law determination, made with counsel, never a stand-in for it.
Source: TSC Industries, Inc. v. Northway, Inc., 426 U.S. 438 (1976); Basic Inc. v. Levinson, 485 U.S. 224 (1988); Matrixx Initiatives, Inc. v. Siracusano, 563 U.S. 27 (2011), U.S. Supreme Court, for the reasonable-investor and total-mix standard the rule imports.
Can quantum-vulnerable cryptography and HNDL exposure be a disclosable risk?
This is the load-bearing question for this guide, and the honest answer starts with what the rule does not say: the SEC has never named quantum-vulnerable cryptography, HNDL, or post-quantum cryptography anywhere in Release 33-11216 or in Items 1.05 or 106. So the question is not whether the SEC requires a quantum disclosure. It is whether quantum-crypto risk can express itself within the rule’s existing text and the materiality standard it imports, and that is a judgment a company reaches with counsel, not a settled legal conclusion. What follows is where the analysis tends to land, offered as education about the regime, not as advice about any company’s filing.
Item 106(b)(2), the forward-looking test, is where quantum exposure lands first. This subparagraph asks whether cyber risk is “reasonably likely to materially affect” the company, and under Basic that is a probability-times-magnitude analysis. HNDL of long-shelf-life material data fits that shape almost exactly. The magnitude is the eventual confidentiality loss of data that is sensitive now and will still be sensitive when a CRQC arrives. The probability is the timing judgment captured by Mosca’s theorem.
So a company holding decades-sensitive material data, think M&A files, trade secrets, regulated personal data, protected under quantum-vulnerable asymmetric cryptography like RSA, has a fact pattern a reasonable investor could consider important. Whether it crosses the materiality line is the company’s call.
Item 106(b)(1) is about whether the process even sees the risk. A company that has never inventoried its own cryptography, meaning it has no CBOM, has no basis to claim its risk-assessment processes cover a known, standards-body-acknowledged risk class. And under (b)(1)(iii), a critical vendor that will not commit to a post-quantum migration path is a third-party risk this subparagraph was written to surface, which ties directly to vendor-controlled crypto surfaces and the broader problem of crypto-agility.
Item 1.05, the incident path, is the harder and more novel question. An actual harvesting event, confirmed exfiltration of ciphertext that protects material data with the expectation of future decryption, arguably fits the Item 106(a) definition of a cybersecurity incident, because it “jeopardizes the confidentiality” of information even though plaintext recovery is deferred. The materiality analysis is genuinely difficult here, because the harm is latent and the four-business-day clock runs from the materiality determination rather than from any future decryption. Reasonable lawyers can differ on it.
This is an open question counsel must resolve, not established law. The mere existence of quantum-vulnerable cryptography, with no discovered event, is an Item 106 risk-management matter rather than an Item 1.05 current report, so overstating the 8-K path is a mistake.
The through-line: the rule already obligates a company to reason about whether cyber risk is reasonably likely to be material, and many companies have no documented basis for the crypto-related part of that answer. The gap that matters is a negative disclosure written blind, an Item 106(b)(2) statement that cyber risk is not reasonably likely to be material, drafted with no HNDL or crypto-agility analysis behind it. That is the fact pattern most easily contradicted by later events, which is why forward-looking negative statements draw the hardest scrutiny.
When can a company delay disclosure under Item 1.05?
Only through a narrow national-security path, and rarely. Disclosure of a material incident may be delayed if the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC in writing. The delay is not a general-purpose extension, and it has defined windows:
- Initial delay of up to 30 days.
- Additional delay of up to a further 30 days, if the Attorney General determines the substantial risk continues.
- Further delay of up to 60 days beyond that, granted through an SEC exemptive order, if the Attorney General again so determines.
Delays beyond those windows are contemplated only in extraordinary circumstances. The operational referral runs through the FBI and DOJ, and DOJ published delay-determination guidelines in December 2023. Because that determination has to be sought and communicated inside the same four-business-day window, it cannot be improvised mid-incident.
Source: SEC Final Rule, Release Nos. 33-11216; 34-97989, SEC final rule PDF, for the Attorney General delay structure and the 30/30/60-day windows.
Source: U.S. Department of Justice, “Material Cybersecurity Incident Delay Determinations” guidelines (December 2023), DOJ delay guidelines PDF, for the Attorney General determination process and the FBI referral path.
When did the rules take effect?
The two obligations phased in on different dates, and a couple of them are still worth stating precisely.
| Requirement | First applies |
|---|---|
| Item 106 annual disclosure (and Form 20-F Item 16K) | Annual reports for fiscal years ending on or after December 15, 2023 |
| Item 1.05 / Form 6-K incident disclosure (general) | December 18, 2023 |
| Item 1.05 for smaller reporting companies | June 15, 2024 |
| Inline XBRL structured-data tagging | Disclosures for fiscal years ending on or after December 15, 2024 |
Source: SEC Final Rule, Release Nos. 33-11216; 34-97989, SEC final rule PDF, and the SEC Small Business Compliance Guide, sec.gov compliance guide, for the phase-in and smaller-reporting-company dates and the inline XBRL tagging date.
Common misconceptions
- “Quantum exposure is a required SEC disclosure.” It is not. The rule names no specific risks and never mentions quantum cryptography. What exists is a general obligation to assess whether cyber risk is reasonably likely to be material, and a materiality standard a company applies with counsel. Treating quantum as a mandated line item overstates the rule.
- “The four-business-day clock starts when we discover the incident.” It starts when the company determines the incident is material. The determination itself has to be made without unreasonable delay after discovery, which is a different and often earlier constraint.
- “A high internal severity means it’s material.” Internal severity and securities-law materiality are different tests. Materiality is the reasonable-investor, total-mix standard. A severe operational incident can be immaterial to investors, and a modest one can be material.
- “The rule requires a cybersecurity expert on the board.” The final rule dropped the proposed board-expertise disclosure. Only a management-level expertise disclosure survived, under Item 106(c)(2)(i).
- “We should file everything under Item 1.05 to be safe.” SEC staff have discouraged this. Immaterial or not-yet-determined incidents belong under Item 8.01 (Other Events). Reflexively filing under 1.05 dilutes the meaning of a material-incident report.
- “The Attorney General delay is a routine extension.” It is a rarely-used national-security path with a specific FBI and DOJ referral process and defined 30/30/60-day windows, not a general filing extension.
Questions people ask
Who does the SEC cybersecurity rule apply to? SEC registrants that file periodic reports, meaning U.S. public companies. Domestic filers use Form 8-K Item 1.05 and Form 10-K Item 106. Foreign private issuers use Form 6-K for incident reporting and Form 20-F Item 16K for the annual disclosure. Smaller reporting companies are in scope, with a later Item 1.05 start date of June 15, 2024.
Does the rule set a dollar threshold for a “material” incident? No. The rule deliberately declines to set a quantitative bright line and relies on the TSC Industries and Basic materiality standard, which turns on whether a reasonable investor would consider the information important to the total mix. Whether a given incident is material is a judgment made with counsel, case by case.
Do we have to name quantum risk in our 10-K? The rule does not require it, because it names no specific risks. What Item 106(b)(2) requires is a determination of whether cyber risk is reasonably likely to materially affect the company. If a company’s data profile and cryptographic exposure make quantum a genuine factor in that determination, that is a matter for the company and its counsel to weigh, not something the SEC has pre-decided either way.
What starts the four-business-day clock exactly? The company’s determination that the incident is material. Discovery of the incident does not start it. What discovery does start is the obligation to reach the materiality determination “without unreasonable delay,” so a company cannot indefinitely postpone the determination to keep the four-day clock from running.
Is a harvest-now-decrypt-later event a reportable incident? It is a genuinely open question. Harvesting of ciphertext that protects material data arguably fits the definition of a cybersecurity incident because it jeopardizes confidentiality, even though decryption is deferred. Whether and when it becomes material for Item 1.05 is difficult and unsettled, and it is exactly the kind of question a company works through with securities counsel rather than reads off the rule.
Does this rule require us to migrate to post-quantum cryptography? No. This is a disclosure rule, not a cryptography mandate. It governs what a public company tells investors, not what algorithms it deploys. Migration timelines are driven by other authorities such as NSA CNSA 2.0 and NIST guidance; the SEC rule only bears on whether cryptographic risk is material enough to disclose.
Is any of this legal advice? No. This note explains a securities-disclosure regime in general terms. Materiality determinations and disclosure decisions are made by the company with its own securities counsel, on the specific facts. Use this to understand the rules, then take the actual questions to a lawyer.
Everything here is the map, given freely. When your team needs its quantum and HNDL exposure actually quantified against your own records and deadlines, in a form your officers and counsel can weigh against the materiality standard this rule already applies, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.