The SEC 4-Day Breach Rule: What Public Companies Actually Have to Do

#The rule that rewrote corporate cybersecurity disclosure

In our experience working with mid-market clients, the gap is always wider than the paper-based assessment suggests.

On July 26, 2023, the SEC adopted final rules requiring public companies to disclose material cybersecurity incidents within four business days of determining materiality. The rule became effective for most filers in December 2023.

The 4-day disclosure rule is now the single most consequential US regulatory development in corporate cybersecurity. It's reshaped how CISOs think about incident response. It's forced boards to develop cyber-risk governance capability they often lacked. It's created new dynamics between threat actors, companies, and markets. Ransomware groups explicitly reference the SEC rule in ransom negotiations. And it's surfaced a steady stream of enforcement actions against companies that got disclosure wrong.

Two years in, there's a clear pattern of what the rule requires, how companies are complying. And the specific failure modes that trigger SEC enforcement.

This post covers what the rule says, the materiality determination that drives everything, the Form 8-K Item 1.05 disclosure content. And the governance framework every public company needs in place before their next incident.

#What the rule requires

The rule has two main components.

#Component 1: incident disclosure (Item 1.05)

When a public company determines that a cybersecurity incident is material, it must file a Form 8-K (Item 1.05) within four business days of that materiality determination. The disclosure must describe:

• The nature, scope, and timing of the incident
• The material impact or reasonably likely material impact on the company

The rule specifically doesn't require disclosure of the technical details of how the attack was conducted. The SEC clarified this in response to industry concern about inadvertently providing attackers with useful information.

Four business days from the materiality determination, not from the incident. This distinction matters enormously. The clock starts when management determines the incident is material, not when the incident occurred or was discovered. This gives companies time to investigate before disclosing.

But: the rule requires companies to make the materiality determination "without unreasonable delay." Companies can't indefinitely postpone the determination to avoid the clock. The SEC has signaled it will scrutinize undue delays.

#Component 2: governance disclosure (Item 106)

Every Form 10-K annual report must describe:

• The company's processes for identifying, assessing, and managing cybersecurity risks
• Whether these processes are integrated with the overall risk management system
• Whether the company uses third-party providers for cybersecurity
• Effects of cybersecurity threats on the company's business strategy and results
• Board oversight of cybersecurity risks
• Management's role and expertise in cybersecurity

The "we've a cybersecurity program" disclosure. Companies must describe their program in enough detail for investors to evaluate whether it's adequate.

Annual filing: the 10-K happens yearly. The disclosures update the prior year's disclosure. Companies describe their program evolution over time.

#What "material" means

The entire rule depends on materiality determination. The SEC's definition follows established case law:

> Information is material if there's a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if the information would significantly alter the total mix of information available.

A facts-and-circumstances test, not a bright-line rule. There's no dollar threshold. There's no number-of-records-breached threshold. Whether any specific incident is material depends on the specific company and specific incident.

#Factors considered

• Financial impact. Direct costs (ransom, incident response, legal fees). Indirect costs (customer churn, business interruption). Lost revenue. Future revenue impact.
• Scope of the incident. Number of systems affected. Number of customers affected. Geographic scope. Business lines affected.
• Data involved. Type of data (PII, PHI, proprietary business data, trade secrets). Volume. Regulatory implications.
• Operational impact. Downtime. Service disruption. Customer-facing effects. Supply chain effects.
• Reputational harm. Brand damage. Customer trust impact.
• Regulatory consequences. Separate regulator actions triggered (HHS, state AGs, foreign regulators). Litigation exposure.
• Strategic impact. Impact on M&A activity, planned initiatives, competitive positioning.

#Examples of material incidents

• A ransomware attack that shuts down core operations for multiple days
• A data breach exposing a material number of customers' personal information
• Theft of material intellectual property or trade secrets
• A compromise that triggers regulatory investigation or lawsuits
• An attack that disrupts a material supplier or customer relationship

#Examples of typically non-material incidents

• Routine phishing emails that don't result in compromise
• Commodity malware detected and contained before impact
• DDoS attacks that don't disrupt operations
• Small-scale data exposures with limited impact

#The judgment call

Many incidents fall in the middle. A company's disclosure decision must be:

• Made by senior management (typically CEO, CFO, General Counsel, CISO collectively)
• Based on relevant facts at the time of decision
• Documented with rationale
• Updated if new facts emerge

SEC enforcement in 2024-2026 has focused on companies that seemed to be slow-walking materiality determinations to avoid the 4-day clock. The SEC has indicated it will look at:

• Internal communications about the incident
• Board and executive briefings
• External communications to customers or regulators
• Insurance notifications
• Changes in operational tempo

If the company clearly thought the incident was material internally but hadn't made the formal determination, SEC will treat that as inappropriate delay.

#What Form 8-K Item 1.05 looks like

Typical Item 1.05 disclosures run 1-3 pages. The content structure:

1. Factual description of the incident. What happened, when, what systems were affected
2. Investigation status. Ongoing? complete? external IR firm engaged?
3. Materiality assessment. What impact has been identified, what's anticipated
4. Operational impact. Business operations affected, customer impact, service restoration timeline
5. Financial impact. Actual or anticipated financial effects
6. Forward-looking statements. Ongoing investigation may reveal additional information

What not to include:

• Technical attack methodology (this was explicitly clarified by SEC)
• Attacker identity speculation (unless confirmed)
• Unverified attribution
• Content that could damage ongoing investigation
• Legal privileged content

Updates: as the investigation progresses, companies typically file amended 8-Ks or include updates in subsequent periodic filings (10-Q or 10-K). Some incidents warrant multiple updates over months.

#The 2024-2026 enforcement landscape

SEC enforcement of the new rule has been active:

#Notable enforcement actions

MGM Resorts (2023-2024): the company suffered a ransomware attack causing significant operational disruption. The SEC scrutinized the timing and completeness of disclosures. Discussion of whether ongoing investigations should have triggered earlier disclosure.

Clorox (2023): cyberattack in August 2023 caused significant supply chain disruption. Company filed Form 8-K promptly but continued updating as impacts became clear. Generally viewed as well-handled disclosure.

Unisys, Avaya, Check Point, Mimecast (October 2024): SEC charged four companies with making materially misleading cyber disclosures before the 4-day rule adoption. $1M, $995K, $990K civil penalties. The action established that SEC will pursue cybersecurity-disclosure cases vigorously.

Caesars Entertainment (2023): similar ransomware attack to MGM. Caesars reportedly paid $15M ransom. Disclosure relatively prompt. Treated as less problematic than MGM.

Progress Software / MOVEit (2023-2024): the MOVEit transfer vulnerability affected thousands of organizations. Progress Software's own disclosures were scrutinized. Multiple MOVEit customers had their own disclosure questions.

#General enforcement patterns

SEC has focused on:

• Material misrepresentation. Companies claiming strong cybersecurity programs that later prove to have been inadequate
• Timing delays. Companies that appear to have delayed materiality determinations
• Inadequate disclosures. 8-K filings that omit material facts or understate impact
• Inconsistency. Public disclosures inconsistent with internal communications
• Program deficiencies. 10-K governance disclosures that misrepresent the program

#What public companies should have in place

Before an incident happens, a SEC-compliant governance framework requires:

#1. Written cybersecurity governance policy

Board-approved document describing:

• Board oversight of cybersecurity risk
• Management responsibility for cybersecurity program
• Risk assessment methodology
• Incident classification and escalation framework
• Relationship with broader enterprise risk management

#2. Materiality determination framework

Written criteria for determining whether a cybersecurity incident is material:

• Quantitative thresholds (where applicable. Dollar impact, number of customers, duration of disruption)
• Qualitative factors
• Decision-makers (who determines materiality? typically a committee including CEO, CFO, General Counsel, CISO)
• Documentation requirements
• Timing expectations

#3. Incident response plan with SEC disclosure integration

Operational IR plan that includes:

• Technical response procedures
• Communication protocols
• Executive notification procedures
• Legal counsel engagement
• External IR firm engagement
• SEC disclosure pathway. When is the materiality assessment triggered, who participates, how is the 4-day clock managed

#4. Board cybersecurity expertise

Either:

• At least one board member with direct cybersecurity expertise (former CISO, technology executive, cyber expert)
• Board members who have completed specific cybersecurity governance training
• Regular cybersecurity briefings from internal CISO and external experts
• Board members actively engaged in cyber risk discussion

#5. Management-level cybersecurity expertise disclosure

Form 10-K must describe management's cybersecurity expertise. Typical disclosures include:

• CISO role, reporting line, years of experience
• Security leadership's relevant background
• External expertise engaged (third-party advisory, consulting firms)

#6. Tabletop exercises and drills

Annual (minimum) exercises testing:

• Incident detection and escalation
• Materiality determination within the 4-day window
• Disclosure drafting and legal review
• Board notification
• Investor communications
• Media response

The SEC disclosure pathway specifically should be drilled. Rehearsing the flow from "incident detected" to "8-K filed" under the time constraint.

#7. Documentation practices

Throughout the lifecycle of an incident:

• Contemporaneous notes of discovery
• Materiality assessments and rationales
• Board briefing materials
• Executive communications
• External communications
• Disclosure drafts and legal review

This documentation becomes critical if SEC investigates later. "We decided to wait before declaring material because..." is a defensible position if documented at the time. Without documentation, it looks like after-the-fact rationalization.

#8. Insurance coordination

Most cyber insurance policies require prompt notification. SEC disclosure requirements often align with insurance notification. Coordinate:

• Insurance carrier notification protocol
• Which external counsel is engaged (panel lists)
• Ransom payment pre-approval (if applicable)
• IR firm engagement (panel)

#The incident-specific playbook

When an incident happens, the recommended sequence:

#Day 0: Detection

• Detect incident
• Activate incident response team
• Engage external IR firm (if warranted)
• Notify legal counsel
• Preserve evidence
• Start materiality determination process

#Day 0-2: Investigation

• Scope the incident (what happened, what's affected, what's the impact)
• Initial facts-finding
• Internal communications (executive team, relevant directors, counsel)
• Insurance notification (most policies require prompt notification)
• Law enforcement notification (if applicable. FBI, Secret Service)
• External communications planning (customers, partners, regulators)

#Day 2-4: Materiality determination

• Executive committee reviews facts
• Materiality assessment against the written framework
• Decision documented with rationale
• Board notification of determination
• Legal counsel review of potential disclosure

#Day 4-5: If material, 8-K filed within 4 business days of determination

• Draft Item 1.05 disclosure
• Legal review
• Executive sign-off
• Filing with SEC
• Investor relations coordination
• Customer / partner notifications aligned with filing

#Day 5+: Ongoing management

• Regular updates to board
• Customer / regulator / partner communications as appropriate
• Remediation implementation
• Additional disclosures if investigation reveals new material facts
• Post-incident review

#The "national security delay" provision

The rule allows companies to delay disclosure if the US Attorney General determines that "immediate disclosure would pose a substantial risk to national security or public safety."

This provision has been rarely invoked:

• Requires explicit AG determination
• Specific national security or public safety risk
• Limited to 30 days initially, extendable up to 60 days with additional AG determination

For most companies, this isn't relevant. Only extraordinary cases (attacks on defense contractors, critical infrastructure, during specific geopolitical events) warrant invocation.

#What changes after the rule

Beyond compliance mechanics, the rule has shifted how cybersecurity is managed:

#Board engagement

Boards now routinely engage with cybersecurity:

• Cyber risk included in regular board materials
• Quarterly or more frequent cybersecurity updates
• Pre-incident escalation protocols
• Directors' specific cybersecurity training

#CISO positioning

CISOs report more directly to CEO or board committees (audit, risk, or dedicated cybersecurity committee). Reporting through CIO is less common than it was pre-2023.

#Legal counsel integration

General Counsel involvement in cybersecurity decisions is far higher. Legal counsel is part of incident response teams from day one. Materiality determinations are legally-advised.

#Ransomware negotiation dynamics

Ransomware groups have explicitly referenced the SEC rule in negotiations ("you've 4 days to decide, the regulatory clock is ticking"). Some ransomware groups have even reported victims to the SEC claiming non-disclosure. This is an unusual dynamic where attackers are weaponizing disclosure requirements against defenders.

#Insurance dynamics

Cyber insurance carriers want earlier notification to engage in response. The SEC timeline creates pressure toward quick carrier engagement.

#Audit dynamics

Public company auditors have begun scrutinizing cybersecurity program adequacy as part of financial statement audits. Material weaknesses in cybersecurity program that create financial statement risk can trigger audit findings.

#Common failure modes

Specific failures SEC has highlighted in enforcement or guidance:

#Failure 1: Slow-walking materiality

Company discovers incident. Initial investigation suggests it's serious. But senior leadership delays formal materiality determination, hoping impact will be contained. By the time determination happens (or SEC investigates), it's clear materiality was apparent earlier.

Fix: document materiality assessments contemporaneously. If you're uncertain, document that. If you're conducting further investigation before declaring, document why and what new information would change the assessment.

#Failure 2: Narrow scope in 8-K

8-K describes the incident but omits material facts. SEC later finds via investigation that the company knew about omitted facts at the time of disclosure.

Fix: don't draft 8-Ks to minimize impact. Describe accurately. Update as investigation progresses.

#Failure 3: Over-disclosing non-material incidents

Some companies have disclosed non-material incidents "abundance of caution." This creates noise in the disclosure stream, can tip off attackers that minor incidents have been detected. And potentially creates issues if SEC believes the company should have distinguished.

Fix: make materiality determinations, not defensive disclosure.

#Failure 4: 10-K governance disclosure mismatch

Company's 10-K describes a robust cybersecurity program. Breach investigation reveals the program described doesn't match practice.

Fix: 10-K disclosures must match reality. If your program has gaps, describe them honestly or fix them before annual filing.

#Failure 5: Ongoing incident management gaps

Company files 8-K. Incident continues evolving. New material facts emerge. Company fails to update disclosure.

Fix: establish routine review of ongoing incidents for new material facts. Amend 8-Ks as appropriate. Include in 10-Q filings while incident is active.

#For non-public companies

If you're a private company, SEC rules don't directly apply. But:

• If you're an acquisition target of a public company, SEC disclosure can flow through. Your incident may be disclosed by the acquiring company.
• If you're a vendor to public companies, your incidents affecting public-company customers may trigger their disclosures.
• If you're considering going public, your cybersecurity program needs to meet SEC expectations. Many IPO delays in 2024-2026 cite cybersecurity inadequacy.
• If you're regulated elsewhere (healthcare, finance, critical infrastructure), analogous disclosure requirements often exist.

#For Valtik clients

Valtik provides SEC-disclosure-focused security services for public companies and pre-IPO private companies:

• Cybersecurity governance framework development aligned with SEC Item 106 requirements
• Incident response planning with integrated materiality determination and disclosure pathway
• Tabletop exercises specifically drilling SEC disclosure timelines
• Penetration testing scoped to provide evidence supporting 10-K governance disclosures
• Board cybersecurity briefings to support director oversight
• Materiality determination framework development

For public companies that haven't explicitly updated their cybersecurity governance since the December 2023 rule adoption, we can produce a gap assessment and remediation roadmap. Reach out via https://valtikstudios.com.

#The honest summary

The SEC 4-day breach rule is the most significant US cybersecurity governance regulation to date. Two years of enforcement and industry adaptation have clarified what compliance looks like.

The core requirements aren't complicated. The practical execution is harder than it looks. The companies that get this wrong get SEC attention. Enforcement actions, corrective action plans, public disclosure of their failures.

The companies that get this right have:

• Written governance frameworks
• Materiality determination procedures
• Incident response plans integrating disclosure pathways
• Board and management cybersecurity expertise
• Regular drills and documentation

If you're a public company and your cybersecurity governance hasn't been reviewed against the 4-day rule explicitly, prioritize that review. Your next incident will be your test.

#Sources

1. SEC Adopted Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
2. Final Rule Text. Federal Register
3. Form 8-K. SEC
4. SEC Cybersecurity Compliance Guidance
5. SEC.gov Press Release. Cybersecurity Disclosure Rules
6. Unisys, Avaya, Check Point, Mimecast SEC Charges (October 2024)
7. NIST Cybersecurity Framework 2.0
8. ISO/IEC 27001:2022
9. SEC Cybersecurity Roundtable Proceedings
10. PwC SEC Cybersecurity Disclosure Guide