SEC Cybersecurity Disclosure
Item 1.05, Item 106, and the materiality decision record

The SEC cybersecurity disclosure rules in context

The SEC adopted the Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules in July 2023 (Release Nos. 33-11216 and 34-97989). The rules added Item 106 to Regulation S-K, Item 1.05 to Form 8-K, and parallel obligations for foreign private issuers under Form 6-K and Form 20-F. The incident disclosure rule applies to Forms 8-K and 6-K filed on or after December 18, 2023 (with smaller reporting companies receiving an additional 180 days). The annual disclosure rule applies to annual reports for fiscal years ending on or after December 15, 2023.

The rule reshaped two questions registrants used to handle informally. When does a cybersecurity incident become a public disclosure? And how does the registrant describe the cybersecurity programme to investors with the same rigour as the rest of the 10-K? The answer is now codified: a four-business-day clock from the materiality determination, and an annual narrative covering risk management processes and board oversight. The rules sit alongside other US disclosure rules without replacing them; for European parallels, the NIS2 framework page covers the EU member-state regime, DORA covers the EU financial-sector regime, and the Cyber Resilience Act covers EU product cybersecurity. The SEC rules differ in posture: they are an investor protection regime delivered through securities filings rather than a sectoral cybersecurity regulation, and the trigger is materiality to investors rather than impact to a regulator.

The four filings at a glance

Most of the operational complexity sits in two filings (Form 8-K Item 1.05 and Form 10-K Item 106) for domestic registrants, with parallel obligations for foreign private issuers on Form 6-K and Form 20-F. Knowing which filing an event triggers, and on what timeline, is the first piece of disclosure committee literacy.

The materiality determination is the trigger, not the incident

The four-business-day clock under Item 1.05 starts at the moment the registrant determines the incident is material. The Adopting Release is explicit that determination must be made without unreasonable delay following discovery, and that materiality is the standard articulated in TSC Industries v. Northway and Basic Inc. v. Levinson: a substantial likelihood that a reasonable investor would consider the information important in making an investment decision, or that the information would significantly alter the total mix of information available.

The structural risk most registrants carry is no documented materiality criteria before an incident occurs. When the determination is made under time pressure with no basis to reference, the four-business-day timing becomes hard to defend later. The walk below is the disciplined materiality path that survives SEC review.

The key operational distinction is between detection time and determination time. The two are different timestamps and they get recorded differently. Conflating them produces a record that cannot evidence the without-unreasonable-delay standard, and it leaves the four-business-day clock with no clean reference point. The SEC cybersecurity incident materiality guide walks through the determination as a documented operating process, including the criteria a disclosure committee can defend, the convening protocol, the re-evaluation triggers, and the Item 1.05(c) amendment cycle. The incident response plan guide covers the upstream operational pattern that feeds the materiality determination, and the severity calibration research covers the broader discipline of consistent severity decisions across a programme.

Item 1.05 disclosure: what goes in the 8-K and what stays in the workspace

Item 1.05(a) calls for the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact. The Adopting Release confirms that the rule does not require disclosure of specific technical detail about the planned response or specific vulnerabilities exploited, where such disclosure would impede response or remediation. The workspace holds the full investigation narrative; the filing carries the disclosable summary.

Item 1.05(c) requires the registrant to amend the 8-K within four business days of new information becoming available where Item 1.05(a) information was not determined or unavailable at the original filing. The amendment is its own four-business-day clock; it is not a relaxation of the original clock. Track the open Item 1.05(c) data points on the same record as the original filing so the amendment cycle does not slip into a delayed disclosure pattern. For the workflow that turns the technical investigation into a disclosable narrative, the pentest evidence management workflow covers how to keep the underlying findings durable across the disclosure cycle.

Item 106(b): risk management and strategy disclosure

Item 106(b) of Regulation S-K calls for an annual narrative on the registrant is cybersecurity processes. The disclosure has to be specific enough that a reasonable investor understands what the programme actually does, but it does not require disclosing operational detail that would create exploitation risk. The list below paraphrases the rule; the authoritative text remains the regulation itself.

Item 106(b)(1)(ii) calls out engagement with assessors, consultants, auditors, or other third parties. The penetration testing, vulnerability assessment, and external audit work the registrant commissions sits directly inside this disclosure. Hold the engagement scope, the findings, the remediation evidence, and the retest outcomes on the same workspace so the narrative references work the registrant can produce on request. The penetration testing workflow covers the engagement record pattern that feeds the Item 106(b) narrative, and the remediation tracking workflow covers the closure record auditors and reviewers ask for when the disclosure references third-party engagements.

Item 106(c): governance and board oversight disclosure

Item 106(c) is where the disclosure quality varies most across registrants. A single line identifying the audit committee meets the literal requirement but does not match the rule is intent: investors are entitled to a description of how the board actually oversees cybersecurity, including the reporting cadence and the management roles that feed it. The list below covers the components a defensible Item 106(c) disclosure carries.

Notably, the SEC removed the proposed requirement to disclose specific cybersecurity expertise of individual directors. Item 106(c) calls for management is relevant expertise, not director expertise, and the description should be at the role level rather than naming individuals. Capture board minutes references, committee charters, named management roles, the reporting cadence, and the escalation pathway in the workspace so the disclosure reflects governance the registrant can evidence.

Foreign private issuer obligations: 6-K and 20-F

Foreign private issuers (FPIs) operate under a parallel set of obligations. Form 6-K requires disclosure of material cybersecurity incidents when the issuer is required to make the information public in its home jurisdiction or otherwise discloses the information widely. Form 20-F replaces the Item 106 annual narrative with a comparable cybersecurity disclosure block. The dual-track structure means an FPI may have a home jurisdiction trigger before, after, or simultaneously with the SEC trigger, and the 6-K timing follows the home jurisdiction disclosure pattern.

FPIs running cybersecurity disclosure on the same workspace as their domestic-registered peers benefit from a single materiality record that supports both the home jurisdiction filing and the 6-K. The structural risk is divergence: a 6-K that does not match the home jurisdiction disclosure narrative produces an inconsistency the SEC has flagged as a concern. Holding both narratives on the same record forecloses the divergence at source.

How SecPortal aligns to the disclosure work

SecPortal is the workspace for the assessor work, the findings record, and the audit trail that the disclosure narrative references. The platform does not file the 8-K and is not legal advice, but it does hold the work the disclosure committee, internal audit, and external counsel rely on when they draft the narrative and time the filing.

For US registrants running SOC 2 alongside SEC disclosure work, the SOC 2 framework page covers the controls work that often supplies evidence for Item 106(b) processes. For registrants under federal contract obligations, the NIST 800-53 framework page covers the control catalogue that frequently structures the cybersecurity programme the disclosure describes. For the operating record that feeds Item 106(b) third-party engagement disclosure, the security testing programme management workflow covers how to keep the cumulative engagement record durable across the fiscal year.

Common disclosure gaps and how to close them

The pattern below shows where disclosures most often fall short of what the rule expects. Each one is recoverable when the workspace record carries the upstream evidence; each one is hard to recover when the gap is discovered at filing time.

Scope and limitations

The Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules are administered by the US Securities and Exchange Commission. SecPortal is the workspace that holds the engagement, the findings, the evidence, and the audit trail; filing of Form 8-K, Form 10-K, Form 6-K, and Form 20-F remains the registrant is responsibility, carried out through EDGAR with the involvement of disclosure counsel and the disclosure committee. This page describes the structure of the rules and how a workspace-driven programme plays against them; the authoritative reference for the obligations remains Release Nos. 33-11216 and 34-97989, the published rule text, and any subsequent SEC interpretive guidance and staff statements.

Nothing on this page is legal advice. Materiality determinations under federal securities law require the involvement of the registrant is general counsel, disclosure committee, and external securities counsel. The platform supports the underlying work record those roles rely on; it does not substitute for the legal judgement that determines whether and when an incident is disclosed.