Explain This: The SEC Cyber 8-K Rule (Materiality, 4 Days, and the Mistake That Gets You Sued)

Most incident response plans are written like the only audience is the SOC.

The SEC’s cyber disclosure rule makes a second audience unavoidable: shareholders, plaintiffs, and regulators.

This is the translation layer.

What it is

Public companies have to disclose a cybersecurity incident on Form 8-K when it is determined to be material, generally within four business days.

The hard part is not the filing. It is the sentence: “determined to be material.”

Materiality is a legal standard with teeth. If the company gets cute, the litigation will not.

Why it matters

This rule collapses two timelines that used to be separate.

• The technical timeline (contain, scope, eradicate)
• The legal timeline (preserve evidence, assess exposure, prepare disclosures)

If you treat disclosure as something you do after the engineers “finish,” you will either miss the window or say something sloppy.

Either outcome becomes Exhibit A.

Where teams screw up

1) They confuse “we do not know yet” with “it is not material”

Unknown scope is not the same thing as immaterial impact.

If you have credible indicators of business impact and you delay because the root cause is still fuzzy, you are creating a narrative plaintiffs love: you waited until certainty, not reasonableness.

2) They let one function own the call

Security wants time.

Legal wants defensibility.

Finance wants predictability.

IR runbooks that pretend materiality is a single-person decision are fantasy. A defensible decision requires a documented process and a cross-functional record.

3) They document everything except the decision logic

Most companies can produce tickets, timelines, and vendor reports.

What they cannot produce cleanly is the reasoning chain:

• What facts were known on day 1, day 2, day 3
• Who reviewed those facts
• What thresholds were applied
• Why the company concluded “material” or “not material” at that moment

In litigation, the absence of decision logic reads like absence of care.

What “reasonable” looks like

Reasonable does not mean perfect.

It means your organization can show, without improvising:

1) A standing materiality playbook that maps incident facts to business impact categories (revenue disruption, customer harm, regulatory exposure, operational downtime). 2) A decision meeting cadence in the first 72 hours (daily, sometimes twice daily) with security, legal, finance, and comms. 3) A written decision memo every time you decide “not material,” including what would change the decision. 4) Evidence preservation by default (logs, chat, forensics images, third-party notifications). If it is not written down, it did not happen. 5) Board visibility that is real. Not a slide deck two weeks later.

If your process cannot survive discovery, it is not reasonable. It is just informal.

What to do this week

1) Write the one-page materiality rubric. Keep it ugly and usable. 2) Add a “4 business day clock” checkpoint to IR. Not as pressure, as visibility. 3) Create a decision memo template. One page. Facts, impact, call, sign-offs. 4) Pre-draft two disclosure skeletons. One for “material confirmed,” one for “still assessing.” Do not wait until you are panicking. 5) Run a tabletop that ends with the memo. If you never practice the decision artifact, you will not have it when it matters.

Subscribe if you want incident response guidance that holds up when lawyers show up.

What is your organization’s weakest link right now, scoping, decision-making, or documentation?

Sources

• Federal Register: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (SEC rule text)
• PwC: Making materiality judgments in cybersecurity incident reporting
• WilmerHale: Preparing for Cybersecurity Disclosure as a Public Company
• The CPA Journal: The SEC Finalizes Rule on Cybersecurity Disclosures
• Jones Day: SEC Outlines 2026 Disclosure Reform Priorities
• Reddit pulse (sentiment): r/cybersecurity discussion on SEC incident disclosure rules