SEC Item 1.05: 4 business days to disclose material cyber incidents.

The SEC final rule 33-11216 requires public registrants subject to the reporting requirements of the Exchange Act to disclose any cybersecurity incident determined to be material on Form 8-K under new Item 1.05. The disclosure must be filed within four business days after the registrant determines that a cybersecurity incident is material. The required disclosure content includes the nature of the incident, the scope of the incident, the timing of the incident, and the material impact or reasonably likely material impact on the registrant.

The materiality determination is the central judgment call. The SEC has indicated that the standard materiality test under TSC Industries v. Northway applies: an incident is material if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision. The SEC has also clarified that the materiality determination should be made without unreasonable delay after the registrant has gathered sufficient information to assess materiality, but that the registrant is not required to disclose immediately upon detection.

The rule includes a narrow national-security delay provision. If the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, the disclosure may be delayed for up to 30 days, with the possibility of additional 30-day extensions. The provision has been used sparingly. The most-discussed early use was the Clorox August 2023 incident, where disclosure was delayed approximately one week with an AG referral.

The full list of Item 1.05 filings is searchable via the SEC EDGAR full-text search interface. Approximately 60 Item 1.05 filings have been submitted between the rule's effective date and mid-2026.

The empirical record of Item 1.05 filings to date shows stock-price moves of 2% to 7% in the 24 hours after disclosure for most filings. The moves cluster around 2-3% for filings that confirm an incident but do not disclose material financial impact, around 4-5% for filings that disclose operational disruption with quantified impact, and at 7%+ for filings where the materiality determination was preceded by media speculation that elevated investor concern beyond the eventual disclosure.

The cumulative two-week stock-price impact is typically larger than the 24-hour impact. Clorox's 7% two-week drop is illustrative: the initial disclosure caused a 2% move, with the cumulative effect emerging as subsequent disclosures expanded the operational and financial impact scope. UnitedHealth's 8% two-week drop following Change Healthcare followed the same pattern: initial disclosure of incident triggered a 4% move, with the cumulative impact emerging as the scale of provider-assistance commitment and operational disruption became clear.

The implication for breach-cost modelling is that the stock-price impact line is real and quantifiable. For a mid-cap public registrant with $5B market cap, a 3% drop is $150M of shareholder loss, which is not on the company's books but is a real economic cost. For a large-cap registrant with $100B market cap, a 3% drop is $3B, which dwarfs any plausible regulatory or class-action component. The stock-price impact line frequently exceeds all other breach-cost categories combined for large-cap public registrants.

On 30 October 2023, the SEC filed civil charges against SolarWinds and its CISO Tim Brown, alleging fraud and internal-control failures related to materially misleading statements about the company's security posture in product collateral and SEC filings. The complaint sought to bar Brown from serving as an officer or director of a public company and to disgorge ill-gotten gains. The case was the first major SEC enforcement action against a CISO personally and represented a fundamental shift in the CISO liability landscape.

The case has produced material changes in the CISO insurance market. Cyber-D&O policies that explicitly cover CISO personal liability became standard at public-company technology firms within 12 months of the SolarWinds complaint. Premium for $10M-$25M of CISO D&O coverage at a public-company technology firm runs $100K to $400K annually as of 2026, with deductibles having risen sharply since the complaint. The cost is now a standard line item in technology-company cybersecurity budgets.

The case has also changed the way CISOs interact with marketing, product, and investor relations functions at public companies. Statements about security posture that previously would have been treated as marketing copy are now treated as potentially material disclosures subject to CISO sign-off. The change has slowed product-collateral approval cycles and has produced material consulting demand from cybersecurity legal practices specialising in public-company disclosure review.

Some early Item 1.05 filings have triggered debate about whether the rule's materiality determination is being applied consistently. Several registrants have filed under Item 8.01 (Other Events) rather than Item 1.05 (Material Cybersecurity Incidents) for incidents that observers viewed as material. The SEC has not formally clarified the standard for distinguishing the two, but staff comments have indicated a preference for Item 1.05 filings where the materiality determination is plausible, with the Item 8.01 alternative reserved for incidents that are clearly non-material.

For breach-cost modelling, the practical implication is that Item 8.01 filings should be treated as functionally equivalent to Item 1.05 filings for purposes of stock-price impact and litigation-risk analysis. The market reaction to Item 8.01 cyber filings has been similar to the reaction to Item 1.05 filings, with the choice of item not appearing to produce a material difference in price response.