When does the four-business-day clock start?

The clock starts on the materiality determination, not on incident detection. The company must make the determination without unreasonable delay after discovery, then file within four business days of that determination.

What is the difference between Item 1.05 and Item 8.01?

Item 1.05 is the dedicated cybersecurity incident item with a four-business-day deadline. Item 8.01 (Other Events) is voluntary and can be used for additional disclosures or updates that do not meet the Item 1.05 trigger.

SEC 8-K Item 1.05 - Material Cybersecurity Incident Disclosure

Q: What is SEC 8-K Item 1.05?

Item 1.05 is the SEC Form 8-K item that requires public companies to disclose any cybersecurity incident determined to be material within four business days of that materiality determination. The rule took effect 18 December 2023.

Q: Can SEC disclosure be delayed for national security?

Yes. The U.S. Attorney General can authorize a delay if immediate disclosure would pose a substantial risk to national security or public safety, generally up to 30 days with possible extensions. Companies request the delay through the FBI.

Q: What must be disclosed under Item 1.05?

The material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including financial condition and results of operations. Technical details are not required.

SEC Form 8-K Item 1.05 requires public companies (registrants under Section 13(a) or 15(d) of the Exchange Act) to disclose any cybersecurity incident determined to be material within four business days of the materiality determination. The rule took effect 18 December 2023 and is one of the most consequential cybersecurity disclosure rules in U.S. history.

Source: 17 CFR 229.106 and 17 CFR 249.308, adopted by the SEC in Release No. 33-11216 (July 2023).

What Item 1.05 Requires

When a public company determines that a cybersecurity incident is material, it must file a Form 8-K under Item 1.05 within four business days, describing the material aspects of the nature, scope, and timing of the incident, and the material impact (or reasonably likely material impact) on the registrant, including its financial condition and results of operations.

The clock starts on the materiality determination, not on the incident itself. The SEC explicitly rejected proposals to start the clock at detection or discovery; the obligation is to make the materiality determination without unreasonable delay after discovery, and then file within four business days of that determination.

Materiality Standard

Materiality is the long-standing federal securities law standard from TSC Industries v. Northway (1976) and Basic v. Levinson (1988): a fact is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. The SEC clarified in the adopting release that quantitative thresholds are not appropriate; the test is qualitative and contextual.

Financial impact: revenue, expense, reserve, write-down
Operational impact: production, service delivery, customer relationships
Reputational impact: brand, trust, customer churn
Regulatory and litigation exposure
Strategic impact: M&A, competitive position

National Security and Public Safety Delay

Item 1.05(c) permits the U.S. Attorney General to authorize a delay in disclosure if immediate filing would pose a substantial risk to national security or public safety. The delay can be granted in writing for up to 30 days, with two possible 30-day extensions (60 additional days) and a final delay only by Presidential authorization for limited extensions. Companies request the delay through the FBI under DOJ procedures.

Smaller Reporting Companies

Smaller reporting companies were granted a delayed effective date and additional time to comply, with reporting requirements taking effect 15 June 2024. The substantive disclosure requirement is the same; only the implementation date differed.

Track the SEC 96-hour clock automatically

IR-OS tracks materiality determinations, four-business-day deadlines, and produces the disclosure-ready record auditors and counsel need.

Start free