← Blog & Education · compliance 9 min read

What the SEC cybersecurity disclosure rule actually requires

Two reporting obligations, one materiality call, and a four-business-day clock. Here's the operational reading of the SEC cyber rule — and the parts most companies are still getting wrong.

By The Talarity team · April 7, 2026

The SEC’s cybersecurity disclosure rule has been in effect for over a year. Most public companies have updated their 10-K Item 1C language. Far fewer have updated the operational machinery underneath it.

This post is the operational reading: what the rule actually requires, what good looks like, and the parts most programs are still hand-rolling.

Two obligations

The rule has two distinct disclosure obligations.

Form 8-K Item 1.05 — material cybersecurity incidents. When the company determines an incident is material, it must file Form 8-K within four business days of the determination. The disclosure must describe the nature, scope, timing, and material impact (or reasonably likely material impact) of the incident.

Form 10-K Item 1C — cybersecurity risk management and governance. Annual disclosure describing (1) the company’s processes for assessing, identifying, and managing material cybersecurity risks, (2) whether and how those risks have materially affected the business, and (3) management’s role and the board’s oversight.

These are different beasts. The 8-K is a real-time response; the 10-K is a structured narrative.

The materiality determination is the hard part

The four-business-day clock starts when the company determines an incident is material. Not when the incident occurs. Not when it’s detected. When materiality is determined.

This sounds like a tiny distinction. It is not. The rule expects companies to make materiality determinations “without unreasonable delay” — but the rule is silent on what “unreasonable” means in practice. The SEC has signaled it’ll look at facts and circumstances.

What this means operationally:

  • You need a documented materiality framework. Quantitative thresholds (loss magnitude, customer impact, data sensitivity) plus qualitative factors (reputation, regulatory exposure, ongoing harm).
  • You need a triage process that moves incidents from detection to materiality assessment quickly. Twenty-four to forty-eight hours from detection to assessment is a reasonable target for clear cases.
  • You need a documented sign-off chain. Counsel must be in the loop. The CFO usually is. Sometimes the audit committee chair gets briefed.
  • You need to timestamp the determination. The four-business-day clock depends on knowing exactly when materiality was determined.

Most companies are still doing materiality determinations by ad-hoc email. That’s a problem. The defensibility of your timing depends on records, and records made in the moment are far more defensible than records reconstructed later.

The 8-K disclosure

If the incident is material, the 8-K must address:

  • Nature and scope of the incident
  • Timing
  • Material impact, or reasonably likely material impact, on the company

It does not need to disclose technical details that would compromise ongoing response. The SEC has been reasonable about delayed disclosure when continued investigation is warranted, especially when law enforcement requests it.

Three patterns we see in good 8-K disclosures:

  1. Be specific about timing. “We detected unauthorized access on [date]. On [later date], we determined the incident was material.” This makes the four-day clock auditable.
  2. Quantify what you can. “Approximately [X] customer records were accessed” is better than “an undetermined number of customer records.” If the number isn’t known, say so — and update via amendment when it is.
  3. Address operational impact separately from financial impact. Operational impact is usually known immediately; financial impact often takes weeks to assess.

The amended 8-K is your friend. The SEC explicitly contemplates updates as the picture clarifies. Don’t wait for perfect information before filing the original.

The 10-K Item 1C narrative

Item 1C is structured. The SEC effectively gave you a three-section template:

Risk management and strategy. Describe your processes for assessing, identifying, and managing cybersecurity threats — including how you integrate cyber risk into overall risk management, and how you engage third-party assessors and consultants. Describe whether risks from cybersecurity threats have materially affected (or are reasonably likely to materially affect) the business.

Board oversight. Describe the board’s oversight, including any committee responsible. If the audit committee handles it, say so. If a separate cybersecurity committee, describe its remit.

Management’s role. Identify which positions are responsible for assessing and managing cybersecurity threats. Describe their expertise. Describe how they’re informed about and respond to incidents.

The temptation is to write this section as marketing copy — “Our world-class cybersecurity program leverages industry-leading practices…” Don’t. The SEC and plaintiffs’ bar are reading this section as a factual statement of your program. Discrepancies between Item 1C and reality become liability.

Better: a precise, specific description of what you actually do. Reference your framework (NIST CSF, ISO 27001, etc.). Name the executive accountable. Identify the board committee with oversight. Describe the cadence of reporting.

What good looks like

Programs that handle the SEC rule well share four operational practices.

A documented materiality framework. Not a checklist someone wrote three years ago — a living document that’s been pressure-tested with realistic incident scenarios. The CFO and General Counsel have both signed off.

Incident-time documentation. When an incident is detected, the timeline is captured in real time: detection, triage, escalation, containment, materiality assessment, decision. Each step is timestamped. Each decision-maker is named.

A pre-built 8-K skeleton. Counsel and IR have a template already drafted that can be filled in within hours of a materiality determination. Building it from scratch in the four-day window is a recipe for missing the window or shipping a poorly-worded disclosure.

Quarterly board cybersecurity briefings. The board has demonstrable oversight. Briefings cover incidents, risk posture, and program changes. Minutes reflect substantive discussion. Item 1C describes this honestly.

What most programs are still missing

In our work with mid-market and enterprise customers, three gaps come up regularly:

The clock isn’t auditable. Companies often can’t show, with documentation, when materiality was determined. Email threads and Slack messages don’t cut it. The defensibility depends on a single source of truth with timestamps.

Item 1C is generic. The narrative reads as boilerplate that could describe any company’s program. The SEC has flagged this — they want specifics.

Subsidiary incidents are unclear. When a subsidiary suffers an incident, when does the parent’s clock start? When does materiality cross the subsidiary-to-parent threshold? Most companies don’t have a clear answer. The legal calculus depends on facts and circumstances, but the operational machinery should at least produce the data needed to make the call.

How Talarity helps

Talarity ships a SEC cybersecurity disclosure module: materiality workflows with documented criteria and timestamped decisions, AI-drafted 10-K Item 1C narrative grounded in your real control library and governance records, board oversight evidence (briefings, training, meeting minutes), and pre-built 8-K disclosure templates. It’s wired into our risk register, so the materiality math has live inputs.

If you’re a public company building this machinery — or rebuilding it after the first year revealed gaps — talk to us. A 30-minute walkthrough shows what mature SEC cyber compliance looks like operationally.

Loading…

See Talarity in action.

A 30-minute walkthrough or a 7-day trial — your call.

Book a demo Start free trial