SEC's 4-business-day cyber disclosure rule: what US public and pre-IPO CISOs must build in 2026

On October 22, 2024, the SEC announced settlements with Unisys, Avaya, Check Point and Mimecast totaling roughly $7 million for materially misleading cybersecurity disclosures tied to the SolarWinds compromise. Unisys alone paid $4 million for describing risks as hypothetical when an intrusion had already occurred. The rule those companies failed against is Item 1.05 of Form 8-K, in force since December 18, 2023, which requires a registrant to file within four business days of determining that a cybersecurity incident is material. The complication for 2026 is that the clock is loud, but the trigger is quiet. Materiality is a judgement call, the May 21, 2024 Corp Fin guidance pushed voluntary disclosures into Item 8.01 rather than 1.05, and the S.D.N.Y. dismissal of most SEC claims against SolarWinds and its CISO Tim Brown on July 18, 2024 (followed by the SEC dropping the rest with prejudice on November 20, 2025) reset where personal exposure actually sits. Yet the Cyber and Emerging Technologies Unit (CETU) that Chair Paul Atkins stood up in February 2025 is still scoping cyber misrepresentations that harm investors. So what does a defensible 2026 Item 1.05 program look like for a US-listed company, a foreign private issuer that files on 6-K, or an Indian-headquartered firm with an ADR or US subsidiary that consolidates into a registrant? This guide walks the rule line by line, then turns it into a board-ready playbook.

Most CISOs can recite "four business days" but cannot point to the specific trigger. That gap is the single largest source of late filings and over-filings in 2024 and 2025. The text of Item 1.05 of Form 8-K, adopted in the SEC's July 2023 release on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, requires a registrant to describe the nature, scope and timing of a material cybersecurity incident, and the material impact or reasonably likely material impact on the company, including financial condition and results of operations. The filing must happen within four business days after the registrant determines the incident is material, not four days from detection, containment, or notification to law enforcement. This distinction matters because the clock is anchored to the company's own determination. Reg S-K Item 106 then layers on a separate annual obligation in the Form 10-K to describe processes for assessing, identifying and managing cyber risks, board oversight, and management's role. Foreign private issuers report through Form 6-K on a comparable basis. Three traps appear repeatedly. First, treating "discovery" as the start of the clock pushes filings out the door before scoping is done. Second, treating "fully scoped financial impact" as the trigger pushes filings too late and invites enforcement. Third, voluntary filings of immaterial incidents under Item 1.05 confuse investors, which is exactly why Director Erik Gerding's May 21, 2024 Corp Fin statement directed non-material disclosures to Item 8.01. The only narrow safety valve is a written determination by the US Attorney General that disclosure poses a substantial risk to national security or public safety. That is a real but rare carve-out, and the rule contemplates initial 30-day delays, with a single 30-day extension and a final 60-day extension in extraordinary cases.

The hardest single sentence to write during an incident is the one that says "this is material." Boards want certainty; the SEC wants judgement. The way through is a pre-agreed materiality framework that gets approved in calm weather. The federal securities-law standard, carried expressly into Item 1.05 by the SEC's 2023 adopting release, asks whether there is a substantial likelihood that a reasonable investor would consider the information important. There is no quantitative dollar threshold and no carve-out for cyber. Build the framework around three layered tests. The first is quantitative: revenue at risk, recovery cost, customer churn exposure, regulatory fine exposure under Securities Exchange Act §21(d)(3) tiers (up to roughly $1.16 million per Tier 3 violation for entities in 2025 inflation-adjusted figures), and impact on guidance. The second is qualitative: harm to critical operations, customer trust, IP loss, exposure of regulated data triggering parallel HIPAA, NYDFS or state breach-notice clocks. The third is aggregation: whether individually immaterial incidents share a common threat actor, vector, or affected system such that they reasonably aggregate into a material event. The SEC has signalled this aggregation theory in comment letters but has not adopted a bright-line standard, which means a written internal policy is the only defence against hindsight. Document who signs. Most 2026 disclosure committees are running a three-stage gate: a technical scoping memo from the CISO, a legal sufficiency review by the GC, and a materiality determination signed by a named officer with the CFO and disclosure committee chair concurring. That signed determination, with timestamp, is what starts the four-business-day clock. Couple this with an offensive testing program against your highest-impact systems. Continuous penetration testing and adversarial attack simulation give the disclosure committee a real probability distribution instead of a hypothetical one, which is what regulators expect when they ask whether the company's pre-incident risk assessment was reasonable.

Public companies often ask whether the SEC has actually fined anyone under the new rule. The answer is yes, a sweep of four settlements sits on the public record, and a separate doctrinal moment reshaped the personal-liability landscape. The October 22, 2024 sweep against Unisys, Avaya, Check Point and Mimecast was the headline event. Unisys paid $4 million and was also charged with disclosure-controls violations, because its public risk factors described cyber threats as hypothetical while two SolarWinds-related intrusions had already happened. Avaya paid $1 million for understating that attackers had accessed at least 145 files when it disclosed access only to "a limited number of email messages." Check Point paid $995,000 for generic impact language that did not convey the scope of intrusion. Mimecast paid $990,000 for minimizing the volume of source code and customer credentials exfiltrated. The common thread was not failure to file an 8-K; it was misleading characterization once the company chose to speak. The July 18, 2024 dismissal of most SEC claims against SolarWinds and CISO Tim Brown by Judge Paul Engelmayer in S.D.N.Y. is the second pillar. The court rejected the SEC's expansive reading of internal accounting controls under Section 13(b)(2)(B) to encompass cybersecurity practices. The SEC voluntarily dismissed the remaining claims with prejudice on November 20, 2025. Outside counsel analyses, including Skadden's July 2024 write-up, treat the ruling as a significant narrowing of the SEC's individual-officer theory. It is not an absolution, since material-misstatement claims survived in part, but the locus of risk has moved back to the company-level disclosure. The third pattern is what has not happened: as of mid-2026, the SEC has not announced a public penalty against a registrant solely for missing the four-business-day clock on a confirmed material incident. The enforcement signal is consistent. Punishment falls on what is said and how, not on filing speed alone. That should change how disclosure committees draft language: every adjective, every "limited," every "we believe" is read by enforcement staff.

The single most expensive mistake in 2024-2025 was letting the materiality determination float between the SOC, the CISO and outside counsel without a named owner. CISOs left exposed by that ambiguity are now demanding a written gating protocol. The protocol that has held up best in practice puts the disclosure committee, not the CISO, in possession of the determination. The CISO owns the technical scoping memo: confirmed adversary access, systems and data classes affected, evidence of exfiltration, business processes degraded. The committee, typically including the GC, CFO, CAO and disclosure committee chair, reviews the memo against the written materiality framework and votes. Rotation is the part most companies under-build. A material incident discovered at 11 pm on a Friday before a long weekend cannot wait for a Tuesday meeting. The 2026 best practice is a 24x7 reachable quorum of three out of five committee members, with named alternates, documented in the disclosure committee charter and tested twice a year. Hold the test live, with an external counsel observer, and capture the time-to-determination as a board metric. Vendor and third-party incidents are the hardest. The WEF Global Cybersecurity Outlook 2026 reported that third-party involvement in breaches doubled from 15% to 30% year on year. Item 1.05 applies to incidents on systems the registrant uses, including those operated by a vendor. The clock does not restart at the vendor's notification; it starts when the registrant determines materiality, which may be before or after the vendor formally notifies. Disclosure committees need contractual rights of access to vendor incident data and a standing process for evaluating vendor-side facts against the registrant's own materiality threshold. This is where a 24x7 detection and response capability matters. Without continuous telemetry, the CISO cannot give the committee a defensible scoping memo, and the committee will either over-disclose or wait too long. Outsourced 24x7 SOC monitoring is now standard equipment, not a maturity bonus.

Item 1.05 does not stand alone. It collides with NYDFS 23 NYCRR Part 500's 72-hour notification, HIPAA's 60-day breach notification, FTC Safeguards Rule's 30-day notification for events affecting 500+ consumers (in force since May 13, 2024), state breach-notice laws, OFAC sanctions diligence on ransom payments, and the pending CIRCIA 72-hour incident and 24-hour ransom payment clocks (final rule deferred to May 2026 per the Davis Wright Tremaine September 2025 analysis). A defensible playbook in 2026 has six modules running in parallel. The first is detection-to-triage, owned by the SOC, with a target time-to-confirmed-adversary-access under 60 minutes for high-criticality assets. The second is the technical scoping memo, owned by the CISO, with a 24-hour internal SLA from triage confirmation. The third is multi-regulator clock mapping, owned by the GC: an incident is logged into a clock matrix that lists every applicable obligation (SEC, NYDFS, HHS OCR, FTC, state AGs, sector regulators, CIRCIA when final) and the trigger that starts each one. The fourth module is OFAC and Treasury sanctions review for any ransomware scenario, anchored to the September 2021 OFAC advisory. Pay-or-don't-pay is a board decision, not a SOC decision, and the playbook must reflect that. The fifth is communications: holding statements, customer notifications, regulator briefings, and SEC filing language all drafted from a single approved source of facts. The sixth is post-incident: amended 8-K filings under Item 1.05(c) when material new information emerges, and 10-K and 10-Q updates as required. The most under-built module is the clock matrix. Most companies still maintain it in spreadsheets. The 2026 standard is an automated case management system with named owners, time-stamped events, and an audit trail that survives discovery. The fine pattern under cross-jurisdiction privacy and security regimes shows that regulators reward documented decision-making and punish reconstructed narratives.

Item 1.05 grabs the headlines. Reg S-K Item 106 is the trap. The annual 10-K disclosure that describes your processes for assessing, identifying and managing cyber risks is now read by enforcement staff alongside every subsequent 8-K, and any inconsistency is a misstatement claim waiting to happen. Item 106(b) requires a description of risk-management processes, including whether and how they are integrated into the overall enterprise risk management program, whether the company engages external assessors, consultants, auditors or other third parties, and whether processes exist to oversee and identify material risks from cybersecurity threats associated with use of third-party service providers. Item 106(c) requires disclosure of board oversight, including the identification of any board committee responsible, and the management role, including positions or committees responsible for assessing and managing risks, the relevant expertise of such persons, and the processes by which they are informed about and monitor incidents. Two failure modes recur. The first is generic boilerplate that says "we maintain a comprehensive cybersecurity program" without naming the framework. Saying NIST CSF or ISO 27001 in the 10-K and then failing to demonstrate alignment during enforcement creates a misstatement risk. The second is silence on third-party risk. Given the WEF 2026 finding that third-party involvement in breaches has doubled, a 10-K that does not describe vendor risk processes is conspicuous by omission. The fix is alignment between the words and the operating reality. If the 10-K describes a Board Risk Committee that reviews cyber quarterly, the minutes must show that meeting. If it describes annual penetration testing, the engagement letters must show that work was scoped and completed. If it describes risk assessments and continuous monitoring, the artefacts must exist. A program that wires vulnerability assessment and penetration testing to a documented risk register, with board reporting on a fixed cadence, is the cheapest defence against an Item 106 misstatement claim. The same applies to AI risk. CETU has scoped AI-washing explicitly. If the 10-K mentions AI as a risk or as a control, the underlying AI risk assessment evidence must be ready for SEC staff review.

The SolarWinds dismissal recalibrated the personal-liability conversation but did not end it. CISOs and general counsels in 2026 are negotiating contract and governance changes that would have been unthinkable in 2022. Three changes are now standard. First, dedicated Side-A D&O coverage that extends to the CISO when the CISO falls within the policy's definition of "insured person." Many CISOs at SEC registrants have moved from being a senior director or VP to being a named executive officer for exactly this reason, which in turn pulls them into the company's Section 16 reporting orbit. Second, written information-flow protocols that document what the CISO communicated to whom and when, so that a CISO's good-faith escalation cannot be mischaracterized later. Third, employment-agreement amendments that include indemnification advance, defense-cost coverage and a clear scope of authority. The structural change is the materiality determination committee. Putting that determination in a committee, rather than on the CISO alone, distributes the judgement and creates a board-supervised record. The Harvard Corporate Governance Forum analysis of CETU priorities in March 2025 read the SEC under Atkins as moving away from novel individual-CISO theories and toward disclosure-misrepresentation cases that show clear investor harm. That framing is being circulated heavily in CISO offices, but it is not a permission slip. The four cases settled in October 2024 still bind the company; the company still pays the fine; the CISO still owns the technical scoping memo. The flip side is reporting line. Boards are responding to Reg S-K Item 106's governance disclosure by elevating the CISO. A CISO reporting to the CIO is harder to disclose with a straight face than one reporting to the CEO or a Board Risk Committee. Expect 2026 proxy and 10-K disclosures to show more CISOs reporting outside the IT chain.

The most common boardroom question in mid-2026 is: "If we had an incident tonight, how would we file?" The answer should be a written 90-day program, not a slideware reassurance. The first 30 days: ratify a written materiality framework, name the disclosure committee with at least three out of five 24x7 quorum, hold a tabletop exercise with outside counsel observing, and map your clock matrix across SEC Item 1.05, NYDFS Part 500, FTC Safeguards, HIPAA, state breach laws, sector regulators and CIRCIA when final. The next 30 days: align the 10-K Item 106 narrative with the operating reality, fix any boilerplate, and lock in third-party risk language consistent with what your vendor-risk team actually does. The final 30 days: dry-run a sample 8-K Item 1.05 filing with mock facts, share the draft with the audit committee, and document every assumption. The harder execution problem is the standing 24x7 capability and the offensive evidence base. Salt Typhoon's one-to-two-year dwell time inside Verizon, AT&T, T-Mobile and Lumen, confirmed by the December 2025 Senate Commerce Committee findings, has reset what "reasonable security" means. A board that approves a 10-K describing reasonable processes but cannot produce continuous monitoring evidence and current penetration testing artefacts will not survive enforcement scrutiny. This is where many US-listed companies, including Indian-headquartered firms with US ADR or OTC listings and US subsidiaries of overseas registrants, partner with a CERT-In empanelled, India-based VAPT and SOC partner. Certbar Security runs continuous penetration testing, attack simulation and 24x7 SOC monitoring with regulator-mapped audit evidence designed to plug into US disclosure programs. The cost structure of offshore delivery, paired with the timezone advantage of a SOC that is awake while US teams sleep, materially reduces the gap between detection and the committee's technical scoping memo. That is the gap that determines whether you file a clean 8-K or an embarrassing one. We work with general counsel and disclosure committees, not just IT, because the evidence has to land in a form the SEC will accept. Build the program now. The SEC's enforcement record under the four-business-day rule shows that the regulator does not punish speed of filing as much as it punishes what is filed. A US-registered company in 2026 that has a written materiality framework, a quorum-ready disclosure committee, a clock matrix, a 24x7 SOC, continuous penetration testing evidence, and a 10-K narrative that matches the operating reality has done the work. Everything else is risk transfer through D&O insurance and post-incident clean-up. Better to land the clean filing.