The CFO calls at 6:47 AM. Your SIEM flagged unauthorized access to a database containing 2.3 million customer records. The incident response team is already working containment. But the CFO is not asking about the firewall or the threat actor. She is asking one question: “Is this material?” You have four business days from the moment someone answers that question to file a Form 8-K with the Securities and Exchange Commission. The clock has not started yet. The materiality determination has.
Between December 2023 and January 2025, 54 companies filed cybersecurity incident reports on Form 8-K under the SEC’s new disclosure rules [SEC Rule 33-11216]. Only 14% of those filings, representing nine incidents, concluded the event was material [Greenberg Traurig 2025]. The gap between “we had an incident” and “this is material to investors” is where most public companies are struggling. It is an accounting question dressed in cybersecurity clothing, and the SEC has made clear that getting it wrong carries real consequences: $6.9 million in combined penalties against Unisys, Avaya, Check Point, and Mimecast for misleading cyber disclosures in October 2024 alone [SEC Press Release 2024-174].
The materiality determination sits at the intersection of two disciplines most organizations keep in separate buildings. The CISO understands the technical severity. The CFO understands quantitative materiality thresholds. The general counsel understands the qualitative factors that make a numerically small incident material to the total mix of information investors need. Getting this right requires all three in the same room, working from the same framework, within hours of an incident. The rules, the enforcement precedents, and the specific accounting standards that govern the determination follow below.
SEC cybersecurity disclosure rules under Rule 33-11216 require public companies to file a Form 8-K within four business days of determining a cybersecurity incident is material. Materiality follows existing securities law standards, including both quantitative thresholds and the qualitative factors outlined in SAB 99. Since December 2023, only 14% of cybersecurity 8-K filings have declared the reported incident material [Greenberg Traurig 2025].
What Does the SEC Cybersecurity Disclosure Rule Actually Require?
SEC Rule 33-11216, adopted July 26, 2023, created two distinct disclosure obligations for public companies: incident reporting through Form 8-K Item 1.05 and annual governance reporting through Form 10-K Item 106 [SEC Rule 33-11216]. The incident reporting requirement applies to all registrants as of December 18, 2023, with smaller reporting companies beginning June 15, 2024. The rule does not create a new definition of materiality. It applies the same standard the Supreme Court established in TSC Industries v. Northway (1976): information is material if there is a substantial likelihood a reasonable investor would consider it important in making an investment decision. The difference is speed. Before this rule, cybersecurity incidents surfaced in quarterly or annual filings weeks or months after the event. The four-business-day clock compresses a determination that finance teams used to make over weeks into a decision measured in hours. S&P 100 companies averaged 980 words in their first-year Item 106 disclosures, with 76% delegating primary cybersecurity oversight to the audit committee [Gibson Dunn 2025 Survey].
Form 8-K Item 1.05: The Four-Day Clock
Item 1.05 requires disclosure of the material aspects of the nature, scope, and timing of the incident, along with the material impact or reasonably likely material impact on the registrant’s financial condition and results of operations. The four-business-day filing window begins when the company determines the incident is material, not when the incident occurs. This distinction matters. The SEC requires the materiality determination to happen “without unreasonable delay” after discovery. Examples of unreasonable delay from the adopting release include deferring committee meetings past the normal convening time or revising incident response policies to support a slower determination [SEC Rule 33-11216].
A company may delay disclosure for an initial period of up to 30 days if the U.S. Attorney General determines the disclosure poses a substantial risk to national security or public safety. This exception is narrow. In practice, it has been invoked rarely.
Form 10-K Item 106: Annual Governance Disclosure
Item 106 requires annual disclosure of cybersecurity risk management processes, strategy, and governance structures. Companies must describe the board’s oversight of cybersecurity risk, identify any committee responsible for oversight, and explain management’s role in assessing and managing material cybersecurity risks. These disclosures require Inline XBRL tagging beginning with 2025 annual filings [SEC Rule 33-11216].
The May 2024 Guidance Correction
SEC Division of Corporation Finance Director Erik Gerding issued a statement on May 21, 2024, addressing a pattern the agency had observed: companies were filing Item 1.05 reports for incidents they had not determined to be material [SEC Corp Fin Director Statement, May 2024]. The guidance clarified that Item 1.05 is exclusively for incidents determined to be material. Immaterial incidents or incidents still under assessment should be disclosed voluntarily under Item 8.01, if at all. This distinction matters for audit documentation. Filing under the wrong item creates a compliance record that auditors and regulators examine.
Map your incident response plan to the 8-K filing timeline. Add a materiality assessment checkpoint within 24 hours of incident detection. Assign a named individual (not a committee) as the materiality determination owner. Document the determination rationale in writing, including both quantitative and qualitative factors considered and rejected. File under Item 1.05 only after an affirmative materiality determination. Use Item 8.01 for voluntary disclosure of non-material or still-assessed incidents.
How Do Accounting Materiality Standards Apply to Cybersecurity Incidents?
SAB 99, issued by the SEC staff in 1999, remains the governing framework for materiality judgments across all securities disclosures, including cybersecurity [SEC SAB 99]. The bulletin established that a quantitatively small misstatement, one falling below the traditional 5% threshold, could still be material based on qualitative factors. PwC’s guidance on cybersecurity materiality notes that cyber incidents “may warrant greater consideration of qualitative factors than what is discussed in SAB 99” because the most significant harms from a breach, such as theft of intellectual property not reflected on the balance sheet, often have no direct financial statement line item [PwC 2024]. The average data breach cost $4.88 million in 2024, a 10% year-over-year increase [IBM Cost of a Data Breach Report 2024]. For a Fortune 500 company, that figure falls well below any quantitative materiality threshold. The qualitative factors are what push the determination toward material.
Quantitative Materiality: The Traditional CPA Framework
Auditors have used quantitative materiality benchmarks for decades. The common thresholds are 5% of pre-tax income, 0.5% to 1% of total revenue, and 1% to 2% of total assets, depending on the benchmark the audit team selects [AICPA AU-C 320]. A cybersecurity incident’s direct financial impact, including remediation costs, legal fees, regulatory fines, and lost revenue, maps to these thresholds in a straightforward way. The $4.88 million global average breach cost is immaterial for a company generating $10 billion in revenue. It is highly material for a company generating $50 million.
The quantitative calculation requires aggregation. The SEC rule addresses “an incident or series of related incidents.” A threat actor who exfiltrates data across three subsidiaries over six weeks constitutes one materiality assessment, not three. Finance teams accustomed to evaluating individual transactions need to aggregate related cybersecurity events before running the quantitative test.
Qualitative Materiality: Where SAB 99 Meets Cybersecurity
SAB 99 identifies nine qualitative factors that make a quantitatively small error material. Five of those factors apply directly to cybersecurity incidents:
- Masking a change in earnings or other trends: A breach that disrupts revenue recognition or delays contract execution during a quarter where the company is already trending downward.
- Hiding a failure to meet analyst expectations: Remediation costs that would cause an earnings miss if disclosed.
- Changing a loss into income or vice versa: Insurance recoveries for breach costs that offset operating losses.
- Affecting compliance with regulatory requirements: An incident that triggers notifications under HIPAA, state breach laws, or GDPR in addition to the SEC rule.
- Affecting compliance with loan covenants: Breach-related expenses or revenue loss that push the company toward a covenant violation.
The SEC’s adopting release added factors specific to cybersecurity: harm to reputation, harm to customer and vendor relationships, loss of competitiveness, and likelihood of litigation or regulatory action [SEC Rule 33-11216]. These qualitative factors explain why the Unisys enforcement action resulted in a $4 million penalty. Unisys described cybersecurity risks as “hypothetical” in its public filings while knowing it had experienced two SolarWinds-related intrusions involving exfiltration of gigabytes of data [SEC Press Release 2024-174].
Qualitative materiality often drives the determination for cybersecurity incidents. A $2 million breach at a company with $500 million in revenue is quantitatively immaterial. If that breach involves customer PII, triggers three state notification laws, and occurs during a pending acquisition, the qualitative factors make it material.
Build a dual-track materiality assessment template. Column one: quantitative impact (remediation costs, legal exposure, revenue loss, insurance recovery, regulatory fines) measured against your audit materiality threshold. Column two: qualitative factors mapped to the nine SAB 99 criteria plus the four cyber-specific factors from Rule 33-11216. Document the qualitative assessment even when the quantitative impact is below threshold. The SEC enforcement actions penalize the failure to assess qualitative factors, not the failure to reach a specific dollar amount.
Who Makes the Materiality Determination?
PwC identifies three functional teams that must coordinate the materiality determination within hours: the CISO and technical leadership, the CFO and finance team, and the general counsel and legal team [PwC 2024]. The rule does not specify who makes the determination. Most public companies route it through a disclosure committee or a subset of executive management. The SEC’s concern is not who decides but how fast and how well-documented the process is. The adopting release flags two specific forms of unreasonable delay: deferring disclosure committee meetings beyond the normal convening schedule and revising incident response procedures mid-incident to slow the determination process [SEC Rule 33-11216]. Both suggest the SEC expects the determination mechanism to exist before the incident occurs.
The CISO’s Role: Technical Impact Assessment
The CISO provides the technical facts the finance and legal teams need: scope of affected systems, number of records exposed, type of data compromised, threat actor attribution (if known), containment status, and estimated remediation timeline. PwC’s framework positions the CISO as the first input to the materiality determination, not the decision-maker [PwC 2024]. The CISO translates technical severity (a CVSS score, an attacker dwell time, a lateral movement path) into business language the CFO and general counsel use for the materiality assessment.
The CFO’s Role: Financial Quantification
The CFO quantifies the incident’s financial impact against existing materiality thresholds established for the annual audit. This includes direct costs (forensic investigation, legal counsel, notification, credit monitoring), indirect costs (business interruption, customer churn, contract penalties), and contingent liabilities (class action exposure, regulatory fines). Healthcare breaches averaged $9.77 million per incident in 2024 [IBM Cost of a Data Breach Report 2024]. Financial sector breaches averaged $6.08 million, 22% above the global mean. The CFO’s role is to compare these projections against the company’s specific quantitative materiality threshold and flag when the number is close enough that qualitative factors become decisive.
General Counsel’s Role: The Total Mix Assessment
The general counsel evaluates what PwC calls the “total mix of relevant factors” including reputational, operational, legal, and regulatory impacts [PwC 2024]. The general counsel also manages privilege considerations during the incident investigation. Attorney-client privilege on forensic reports does not extend to the materiality determination itself, which must be documented for regulatory review. This creates a tension: the investigation should be thorough enough to inform the determination, but the determination cannot wait for the investigation to conclude.
- Establish a materiality determination committee with named representatives from security, finance, and legal before an incident occurs
- Define escalation criteria that trigger committee convening within 4 hours of incident detection
- Create a pre-built assessment template with quantitative thresholds and qualitative factor checklist
- Document the determination rationale in writing, signed by all three functional leads
- Establish a privilege protocol separating the forensic investigation (privileged) from the materiality determination (discoverable)
- Run a tabletop exercise at least annually that includes the materiality determination, not only the technical response
Schedule a cross-functional tabletop exercise within 90 days that simulates the materiality determination process, not the incident response. Use a scenario where the quantitative impact is ambiguous (near the threshold) and the qualitative factors are mixed. Time the exercise: the team should reach a documented determination within 4 hours. If they cannot, redesign the escalation path and the assessment template. Review your tabletop exercise program for a structural framework.
What Do the SEC Enforcement Actions Reveal About Materiality Expectations?
Four enforcement actions in October 2024 established the SEC’s practical expectations for cybersecurity materiality disclosures, resulting in $6.9 million in combined civil penalties [SEC Press Release 2024-174]. Unisys paid $4 million, the largest penalty, for describing cybersecurity risks as “hypothetical” in SEC filings while knowing it had experienced two intrusions with data exfiltration. Avaya paid $1 million for stating that a threat actor accessed a “limited number” of email messages when the company knew the actor had also accessed at least 145 files in its cloud file-sharing environment. Check Point paid $995,000 and Mimecast paid $990,000 for omitting material details about the scope and impact of their respective incidents. The pattern across all four cases is the same: the companies had information indicating the incident was more severe than disclosed, and they chose language that minimized the known facts.
The SolarWinds Precedent
The SEC’s October 2023 action against SolarWinds and CISO Timothy Brown represented the first enforcement action charging an individual for cybersecurity disclosure failures. The Southern District of New York dismissed most claims in July 2024, finding that SolarWinds’ security statements in press releases and blog posts constituted “non-actionable corporate puffery” [SDNY, SolarWinds Opinion, July 2024]. The SEC dismissed the remaining claims with prejudice in November 2025. The case established two important boundaries. First, general security statements (“we take security seriously”) are not actionable even if the company’s security posture is weak. Second, specific factual statements about known incidents that minimize or omit material details are actionable. The line between puffery and fraud runs through specificity.
Enforcement Implications for the Materiality Process
The four SolarWinds-victim settlements share a common deficiency: each company’s disclosure process failed to incorporate information the company already possessed. Unisys knew about data exfiltration but described risks as hypothetical. Avaya knew about file access but disclosed only email access. The enforcement theory is not that companies must predict the full scope of an ongoing incident. The theory is that companies must disclose what they know at the time of filing and update the disclosure as new information becomes available. Amended 8-K filings are expected when material new information surfaces after the initial disclosure [SEC Rule 33-11216].
Audit your current incident disclosure process against the four enforcement actions. Pull your last three cybersecurity-related SEC filings (8-K or 10-K). Compare the language against the internal incident reports for the same events. Flag any instance where the public filing uses language that is less specific than the internal documentation. Build a disclosure review checkpoint where the incident documentation team compares the draft 8-K against the forensic findings before filing.
How Does Regulation S-P Change Cybersecurity Disclosure Requirements?
Amended Regulation S-P, effective December 3, 2025, for large entities and June 3, 2026, for smaller entities, adds a parallel disclosure requirement for broker-dealers, investment advisers, and investment companies [SEC Regulation S-P Amendments, May 2024]. The amendments require covered institutions to notify affected individuals of breaches involving “sensitive customer information” and to receive notification from service providers within 72 hours of a breach affecting customer information systems. The SEC’s 2026 Examination Priorities elevated cybersecurity and operational resiliency as core focus areas, while removing cryptocurrency from the priority list for the first time since 2018 [SEC 2026 Examination Priorities]. This signals where examination resources are shifting. The convergence of Rule 33-11216’s incident disclosure requirements and Regulation S-P’s breach notification obligations creates a dual-track reporting burden for financial services companies.
The 72-Hour Service Provider Notification
Regulation S-P requires covered institutions to update service provider contracts with a 72-hour breach notification clause. Service providers must notify the covered institution within 72 hours of detecting a breach involving customer information systems. This creates a cascading timeline: the service provider has 72 hours to notify the institution, and the institution must then assess whether the breach triggers its own disclosure obligations under both Regulation S-P (individual notification) and Rule 33-11216 (8-K filing if material). Companies subject to both rules need incident response plans that address both timelines simultaneously.
Written Incident Response Plan Requirement
The Regulation S-P amendments require a written incident response plan, which echoes the SEC’s broader expectation that cybersecurity governance exists before an incident occurs. The plan must address detection, assessment, containment, notification, and recovery. For organizations already maintaining incident response plans aligned to NIST or ISO 27001, the Regulation S-P requirements map to existing controls. The gap for most firms is the customer notification procedure and the service provider oversight mechanisms.
Review all third-party service provider contracts for the 72-hour breach notification clause required by Regulation S-P. Identify any vendor agreement that lacks this provision and negotiate an amendment before the June 3, 2026, compliance deadline for smaller entities. Update your incident response plan to include a dual-track assessment: Regulation S-P individual notification and Rule 33-11216 materiality determination. Map the decision tree for incidents that trigger both obligations. Document the incident classification criteria that distinguish between the two tracks.
The SEC cybersecurity disclosure rule transformed materiality from an accounting exercise performed quarterly into a real-time judgment call performed under pressure. The companies that get this right have one thing in common: a pre-built materiality determination framework that brings the CISO, CFO, and general counsel together within hours, not days. The companies that get it wrong treat materiality as a legal question for outside counsel to answer after the incident investigation concludes. By then, the four-day clock has already started, and the determination is already late.
Frequently Asked Questions
What triggers the four-business-day SEC cybersecurity disclosure deadline?
The four-business-day deadline begins when the company determines a cybersecurity incident is material, not when the incident is detected or contained [SEC Rule 33-11216]. The materiality determination itself must occur “without unreasonable delay” after discovery. Deferring committee meetings or revising procedures to slow the determination constitutes unreasonable delay under the adopting release.
How does SEC cybersecurity materiality differ from audit materiality?
SEC cybersecurity materiality applies the same legal standard as financial statement materiality, the “reasonable investor” test from TSC Industries v. Northway, but requires greater weight on qualitative factors [SAB 99, SEC Rule 33-11216]. PwC notes that cyber incidents often lack direct financial statement line items, making qualitative considerations like reputational harm, litigation risk, and regulatory exposure more decisive than quantitative thresholds alone.
What are the penalties for inadequate SEC cybersecurity disclosure?
The SEC imposed $6.9 million in combined civil penalties against Unisys ($4 million), Avaya ($1 million), Check Point ($995,000), and Mimecast ($990,000) in October 2024 for minimizing known cybersecurity incidents in public filings [SEC Press Release 2024-174]. Penalties targeted the gap between what companies knew internally and what they disclosed publicly, not the failure to prevent the incident itself.
SEC cybersecurity disclosure vs. state breach notification: what is the difference?
SEC cybersecurity disclosure under Rule 33-11216 requires filing a Form 8-K when a cybersecurity incident is determined to be material to investors, regardless of whether personal data was exposed [SEC Rule 33-11216]. State breach notification laws trigger based on unauthorized access to personally identifiable information, with notification timelines ranging from 30 to 72 hours depending on the jurisdiction. A single incident often triggers both obligations, requiring parallel compliance tracks.
How should companies handle ongoing incidents under the SEC disclosure rule?
Companies must disclose what they know at the time of the materiality determination and file an amended 8-K when material new information surfaces [SEC Rule 33-11216]. The initial filing does not require the investigation to be complete. Companies should describe the known facts, note what remains under investigation, and update the filing as the investigation progresses. The SEC penalizes omission of known facts, not uncertainty about unknown facts.
How do SAB 99 qualitative factors apply to cybersecurity incidents?
SAB 99 qualitative factors make a quantitatively small cybersecurity incident material when it masks earnings trends, triggers regulatory obligations, affects loan covenants, or involves management misconduct [SEC SAB 99]. The SEC’s adopting release for Rule 33-11216 added four cyber-specific qualitative factors: harm to reputation, harm to customer and vendor relationships, loss of competitiveness, and likelihood of litigation or regulatory action.
What does SEC Form 10-K Item 106 require for cybersecurity governance?
Item 106 requires annual disclosure of the board’s cybersecurity risk oversight structure, identification of responsible committees, and management’s role in assessing material cybersecurity risks [SEC Rule 33-11216]. Among S&P 100 companies, 76% delegate primary cybersecurity oversight to the audit committee, and the average Item 106 disclosure runs 980 words [Gibson Dunn 2025 Survey]. Disclosures must be tagged in Inline XBRL beginning with 2025 annual filings.
How does Regulation S-P’s 72-hour notification relate to SEC cybersecurity disclosure?
Regulation S-P requires service providers to notify covered financial institutions within 72 hours of detecting a breach involving customer information systems [SEC Regulation S-P Amendments, May 2024]. This creates a cascading timeline: the service provider notification triggers the institution’s own assessment under both Regulation S-P (individual notification) and Rule 33-11216 (8-K filing if material). Financial services firms subject to both rules need dual-track incident response procedures.
Get The Authority Brief
Weekly compliance intelligence for security leaders. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
