- The 4-business-day disclosure clock starts when a company determines materiality — not when it discovers the incident. Slow-walking the determination is itself an enforcement risk.
- Form 10-K Item 1C requires annual disclosure of board oversight, management qualifications, and risk processes — the S&P 100 averages 980 words and 100% disclose vendor risk programs.
- Companies must address cybersecurity in S-1 risk factors, MD&A, and business description before the 8-K and 10-K obligations even apply — governance must precede the filing.
- The SEC levied over $8M in penalties in 2024 alone for generic, unchanged risk factor language used after companies became aware of material incidents.
- NIST CSF alignment is the de facto market standard — 60% of S&P 100 cite it — and tabletop exercises testing the 4-business-day disclosure workflow are now an expected governance practice.
The Disclosure Imperative Has Changed
The SEC adopted Release No. 33-11216 on July 26, 2023, with an effective date of September 5, 2023. The release created two distinct and binding obligations for public companies: Form 8-K Item 1.05, which mandates disclosure of material cybersecurity incidents, and Form 10-K Item 1C, which requires annual disclosure of cybersecurity risk management processes, governance structures, and board oversight arrangements. Large accelerated filers became subject to Item 1.05 as of December 18, 2023; smaller reporting companies followed on June 15, 2024.
The rule changes the calculus for any company approaching a public listing in a fundamental way. Cybersecurity governance is no longer a post-IPO concern to be addressed once the company is trading. It must be built, documented, and tested before the S-1 registration statement is filed — because the S-1 itself must address cybersecurity risks, prior incidents, and governance structures in a manner that satisfies SEC staff expectations that have been shaped by the new rule's framework.
Companies that have not established the governance infrastructure before filing will find themselves in the worst possible position: disclosing material weaknesses in both their cybersecurity posture and their disclosure controls simultaneously. The registration statement process is not the right venue for building the foundation. By the time SEC staff are reviewing the filing, the infrastructure should already be operational and documented.
Form 8-K Item 1.05 — The 4-Business-Day Clock
Once a company determines — not merely discovers — that a material cybersecurity incident has occurred, it has four business days to file a Form 8-K under Item 1.05. The distinction between discovery and determination is central to the rule's architecture and has significant operational implications for every registrant.
The required disclosure must cover three core elements: the nature, scope, and timing of the incident; the material impact or reasonably likely material impact on the company's financial condition; and the impact or reasonably likely impact on results of operations. The rule does not require companies to disclose information that would pose a risk to national security or that is not yet known at the time of filing — but it does require contemporaneous disclosure of what is known and what can reasonably be assessed.
The clock starts at determination, not discovery — which requires active, documented materiality assessment processes to be in place at all times, not assembled after an incident occurs. Companies without these processes face both a substantive disclosure failure and a process failure. If a technical team identifies a breach on a Monday and no formal materiality assessment is conducted until the following Friday, the SEC may view the delay as an unreasonable extension of the discovery-to-determination timeline, particularly if internal communications during that period suggest awareness of potential material impact.
One narrow exception exists: the U.S. Attorney General may grant a delay in disclosure where filing would pose a substantial risk to national security or public safety. This exception is narrow, procedurally demanding, and not available to the vast majority of companies. It should not be incorporated into routine incident response planning as a potential fallback.
In May 2024, the SEC's Division of Corporation Finance issued important clarifying guidance: Item 1.05 is exclusively for mandatory disclosures of incidents that have been determined to be material. Voluntary disclosure of non-material incidents — or incidents whose materiality has not yet been determined — should use Item 8.01. This distinction matters operationally and legally. Filing under Item 1.05 for a non-material incident signals materiality to the market, regardless of the company's intent, and can create securities law exposure if the company later concludes the incident was not material. Legal counsel must be involved in the classification decision for every filing.
XBRL tagging of Item 1.05 disclosures is required for all registrants as of December 18, 2024. Companies must ensure their disclosure and filing infrastructure supports machine-readable tagging of cybersecurity incident disclosures — a technical requirement that intersects with the broader EDGAR filing systems that new registrants must configure before going public.
Form 10-K Item 1C — Annual Governance Disclosure
Item 1C requires companies to disclose annually, in their Form 10-K, four categories of cybersecurity governance information: their processes for assessing, identifying, and managing material cybersecurity risks; whether those risks have materially affected or are reasonably likely to materially affect the business, including financial condition and results of operations; the board's oversight of cybersecurity risk, including which committee or body is responsible and how frequently it receives reports from management; and management's role and relevant qualifications in assessing and managing cybersecurity risk.
A Gibson Dunn survey of S&P 100 Item 1C disclosures as of November 2024 provides the clearest available picture of market practice. Average disclosure length was 980 words. Sixty percent of companies cited an external framework, with NIST being the most common — used by 51 of 97 companies surveyed. Eighty-four percent disclosed employee training programs. Ninety-six percent reported using audits, drills, or tabletop exercises. Ninety-eight percent disclosed engaging external assessors or consultants. One hundred percent discussed third-party vendor risk management programs.
These statistics establish a de facto market standard. A company — whether a seasoned large accelerated filer or a new registrant filing its first 10-K — that discloses materially less than these benchmarks invites investor scrutiny and SEC staff comments. The survey data gives prospective issuers a concrete picture of what a compliant, market-standard disclosure looks like, and the gap between that standard and what most pre-IPO companies have in place is typically substantial.
Board oversight disclosure patterns from the same survey are particularly instructive for governance planning. Sixty-eight percent of S&P 100 companies reported that the full board retains responsibility for enterprise-wide risk oversight, including cybersecurity. Sixty-six percent delegate cybersecurity oversight to a board committee, with 78% of those using the audit committee as the primary oversight body. CISO-to-board reporting cadence has become an emerging disclosure expectation — not simply a governance best practice — and companies that cannot document a regular reporting relationship between their security leadership and board will face scrutiny both from SEC staff and from institutional investors conducting pre-IPO diligence.
What "Material" Means — and Why It Matters
The SEC applies the same materiality standard across its cybersecurity disclosure rules that has governed securities law for decades: an incident is material if there is a substantial likelihood that a reasonable shareholder would consider it important in making an investment decision. This standard derives from the Supreme Court's decisions in TSC Industries v. Northway (1976) and Basic Inc. v. Levinson (1988) and has been consistently applied across the full range of disclosure obligations.
In the cybersecurity context, the assessment requires consideration of both quantitative and qualitative factors. Quantitative factors include immediate financial impact — revenue disruption, remediation costs, ransom payments, and forensic expenses — as well as longer-term operational and reputational costs that may be difficult to quantify at the time of the assessment. Qualitative factors include the scope and sensitivity of data compromised, the probability and potential magnitude of litigation exposure, the nature of the threat actor and their likely objectives, and whether the incident involves regulated data categories that trigger parallel notification obligations under state breach notification laws, HIPAA, or other sector-specific regimes.
The materiality determination must be made without unreasonable delay. The SEC's rule structure — which starts the 4-business-day clock at determination rather than discovery — creates a regulatory incentive structure that companies must understand clearly. The rule does not reward companies that delay conducting a materiality assessment in order to avoid triggering the filing obligation. Documented delay in initiating the materiality assessment process is itself an enforcement risk, as it suggests the company's disclosure controls are not functioning effectively.
Filing behavior data compiled by Greenberg Traurig in 2025 illuminates how companies are navigating the materiality determination in practice. Since April 2024, 41 companies filed cybersecurity-related Form 8-Ks. Twenty-six did so voluntarily under Item 8.01; 15 filed under mandatory Item 1.05. Of the 15 mandatory filings, only 6 specified financial impact at the time of initial disclosure. Subsequent amended filings by all 15 companies concluded either that no material impact had occurred or that material impact was unlikely. The pattern suggests companies are disclosing at or near the materiality threshold, with determinations frequently revised downward after additional investigation — a practice that is legally defensible as long as the initial determination and subsequent revision are both documented and made in good faith.
What the S-1 Must Say — Pre-IPO Disclosure Requirements
Companies filing S-1 registration statements must address cybersecurity across multiple disclosure items before the 8-K and 10-K obligations even begin to apply. The registration statement is the foundational document through which the SEC and the investing public learn about a company's risk profile, and cybersecurity has become one of the most scrutinized risk categories in SEC staff reviews of new registrants.
Item 105 (Risk Factors) requires disclosure of material cybersecurity risks, including prior incident frequency and severity, the probability of future incidents based on the company's industry and threat environment, the adequacy of the company's preventive measures, and vulnerabilities arising from third-party supplier and vendor relationships. Generic, boilerplate risk factor language — the kind that could apply to any company in any industry — is no longer acceptable. SEC staff will issue comments on risk factor disclosures that fail to describe risks with specificity appropriate to the company's actual operational profile, incident history, and competitive environment.
Item 303 (MD&A) requires disclosure of ongoing cybersecurity costs, remediation expenses related to prior incidents, insurance recoveries, and competitive impacts. If a company has experienced a material incident that has not yet been fully remediated at the time of filing, the cost trajectory and the expected timeline to full remediation must be addressed. Investors and analysts will scrutinize MD&A disclosures for any suggestion that cybersecurity costs are material but undisclosed.
Item 101 (Business Description) requires companies to address how cybersecurity incidents materially affect their products, services, and customer relationships. For technology-dependent companies — and increasingly for companies in every sector — this section often requires substantial cybersecurity disclosure that goes beyond generic statements about the importance of information security. The description should reflect the company's actual dependence on specific systems, data categories, and third-party infrastructure.
Financial statement requirements add a further dimension. Companies must provide reasonable assurance that the financial impacts of cyber incidents are fully captured and accurately presented in their audited financial statements. This implicates internal controls over financial reporting in a direct way — a pre-IPO SOX readiness assessment must include an explicit review of cybersecurity-related financial reporting processes, including how incident costs are captured, how contingent liabilities are identified and evaluated, and how insurance recoveries are accounted for.
Enforcement — What Happens When Companies Get It Wrong
The SEC has demonstrated a clear and escalating willingness to pursue enforcement actions for inadequate cybersecurity disclosure. The enforcement actions concluded in 2024 collectively establish that the Commission will pursue penalties not only for failures to disclose known incidents, but for internal control failures that impeded timely assessment and escalation.
In June 2024, R.R. Donnelley & Sons settled charges arising from a 2021 cyberattack for a $2.1 million penalty. The SEC found that the company had failed to properly escalate security alerts to management during the attack and had maintained inadequate staffing for alert monitoring — deficiencies that constituted violations of the disclosure controls and internal controls over financial reporting provisions of the Exchange Act. The case establishes that operational cybersecurity failures, not just disclosure failures, can create securities law exposure.
In October 2024, the SEC charged four IT services companies with materially misleading disclosures following their exposure in the SolarWinds supply chain breach. The companies had used generic, unchanged risk factor language after becoming aware of the breach through the SolarWinds notification process, and had omitted material details about state-actor involvement and the scope of data exfiltration. Settlements ranged from $990,000 to $4 million. The cases represent the most direct application of the principle that companies cannot maintain generic risk factor language after learning that specific risks have actually materialized.
In December 2024, Flagstar Financial received a $3.55 million penalty for understating the severity of a 2021 cyberattack in Form 8-K filings and for repeating generic risk factor language in subsequent filings after becoming aware of the full scope of the incident. The SEC found that the company's disclosures gave investors a materially misleading picture of the incident's impact and the company's exposure.
Total SEC enforcement activity in these cases exceeded $8 million in aggregate penalties. The pattern across all of them is consistent: generic disclosures that fail to reflect what the company actually knew, at the time the disclosure was made, are the primary enforcement target. Companies that have experienced prior incidents before their IPO must ensure that their registration statement disclosures accurately reflect both the incidents and the company's state of knowledge at each relevant point in time.
Building the Pre-IPO Cybersecurity Foundation
The governance actions required before an S-1 filing are specific, sequential, and time-consuming. Companies that delay this work until late in the transaction process — or until after engaging underwriters — will find themselves disclosing inadequate controls in the registration statement, creating a disclosure liability before the company is even public. The work must begin 18 to 24 months before the target listing date to allow sufficient time for implementation, testing, and documentation.
The foundational steps, in sequence, are:
- Appoint a CISO or equivalent and document their qualifications in sufficient detail to satisfy Item 1C management expertise disclosure expectations. The qualifications disclosure must be specific — generic statements about years of experience are insufficient. Prior certifications, specific technical competencies, and relevant incident response experience should all be documented.
- Assign board or committee responsibility for cybersecurity oversight with a documented meeting cadence. Quarterly CISO reporting to the full board or designated committee is the emerging best practice, and the cadence should be established by formal board resolution and reflected in committee charters before the S-1 is filed.
- Implement a formal incident response plan that integrates directly with the disclosure committee and includes documented materiality assessment procedures and escalation workflows from technical teams to decision-makers. The plan must specify who has authority to make the materiality determination, what information is required to make that determination, and how the disclosure committee is convened within the 4-business-day window.
- Conduct a tabletop exercise specifically designed to test the 4-business-day disclosure workflow — simulating who makes the materiality determination, how the disclosure committee convenes on an accelerated basis, and how external legal counsel is engaged for Item 1.05 vs. Item 8.01 classification decisions. The tabletop should be documented and its findings incorporated into plan updates.
- Engage a third-party assessor to produce auditable compliance documentation aligned to NIST CSF, ISO 27001, or SOC 2 as applicable to the company's industry and customer base. The assessment documentation will serve double duty: it supports the Item 1C disclosure of external assessor engagement, and it provides a baseline against which future assessments can measure progress.
- Implement insider trading restriction policies covering the period during and after a material cybersecurity incident. The intersection of material non-public information arising from a cybersecurity incident and the trading windows of officers, directors, and employees creates significant Regulation FD and insider trading exposure that many pre-IPO companies have not previously needed to manage. Blackout policies must be extended to cover the cyber incident context explicitly.
- Conduct a comprehensive third-party vendor risk assessment and document the results. Every S&P 100 company now discloses a vendor risk management program, establishing a market standard that SEC staff will expect new registrants to meet. The assessment should cover all vendors with access to material systems or sensitive data, and the results should be incorporated into both the Item 1C annual disclosure and the S-1 risk factor disclosure.
- Align cybersecurity financial reporting processes with the broader SOX readiness program. Ensure that incident costs, remediation expenses, and related contingent liabilities are captured accurately in the financial close process and that the accounting for cyber-related costs is reviewed by qualified technical accounting resources before the financial statements are finalized.