Incident Command Platform
← All articles

SEC 96-Hour Cyber Breach Notification (Item 1.05)

By Mark LyndPublished April 7, 202612 min read

Since December 2023, every SEC registrant has had four business days to disclose a material cybersecurity incident on Form 8-K Item 1.05. The clock is not 96 hours, the trigger is not the incident itself, and the filing is not optional. Here's what you actually need to know.

The SEC's final rule on cybersecurity disclosure (Release No. 33-11216) added Item 1.05 to Form 8-K and changed the way public companies must talk about cyber. This guide explains the rule in operational terms — what triggers it, when the clock starts, what must be disclosed, and how to draft under pressure. For the broader response framework, see our Incident Response Playbook.

The Trigger is Materiality, Not the Incident

The clock does not start when you detect an incident. It starts when you determine the incident is material. Under the rule, that determination must be made "without unreasonable delay" — which is not a fixed number of hours, but is understood by the Commission to mean days, not weeks.

This two-step structure matters operationally:

  1. Step 1 — Awareness. The IR team confirms an incident exists.
  2. Step 2 — Materiality determination. Legal, finance, and the disclosure committee assess whether a reasonable investor would consider the incident important to an investment decision.
  3. Step 3 — Four business day clock starts. From the moment of Step 2.
Drafting tip: The 8-K must be filed "within four business days of determining the incident is material" — and the filing itself states the date of determination. Regulators and plaintiffs will scrutinize any gap between detection and determination.

The Materiality Assessment

Materiality under the federal securities laws is a qualitative and quantitative analysis. The rule specifically notes that an incident may be material even when its financial impact is small, if it affects reputation, customer relationships, or competitive standing.

Factors to consider — document every one of them in the defensible record:

What Must Be Disclosed

Item 1.05(a) requires the filing to describe:

  1. The material aspects of the nature, scope, and timing of the incident
  2. The material impact or reasonably likely material impact on the registrant, including financial condition and results of operations

The rule does not require disclosure of technical details — specific vulnerabilities exploited, compromised systems, or incident response status — if that disclosure would impede response or remediation. The filing is investor communication, not a forensic report.

The National Security Exemption

Item 1.05(c) permits a delay in disclosure if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. The delay is initially up to 30 days and can be extended. This is not a DIY exemption — it requires formal AG notification, typically via the FBI.

What Does Not Trigger 1.05

Common Drafting Mistakes

  1. Being too specific. Once you disclose details, subsequent facts create inconsistency risk.
  2. Being too vague. A disclosure that says nothing invites an enforcement inquiry.
  3. Promising future updates you cannot guarantee. "We will update investors as appropriate" is safer than "we will file an amendment within 10 days."
  4. Forgetting the amendment. If material information was not reasonably determinable at filing, Item 1.05(b) requires an amendment within four business days of it becoming determinable.
  5. Letting the CISO draft it. This is a disclosure document — it is drafted by disclosure counsel and the disclosure committee, with CISO input.

Operationalizing the Four-Day Clock

The clock is only manageable if you have:

Related Reading

Track the materiality clock with a defensible record

IR-OS timestamps every decision in an append-only ledger — so when regulators ask when you knew, you can prove it.

Start free