The SEC Clock Starts When You Decide The Incident Is Material. Can You Make That Call?

The four-business-day disclosure clock does not start when you discover a cyber incident. It starts when you determine the incident is material to investors.

Most teams assume the deadline runs from detection and brace for a four-day sprint. The harder problem is the determination that starts the clock. You cannot soundly judge materiality until you can bound what the incident did to the business, and a large part of that is a recovery question: which systems you can bring back, how fast, and on data clean enough to trust.

What the rules require, briefly

The SEC adopted its cybersecurity disclosure rules in July 2023 under Release No. 33-11216. Two pieces matter here.

Form 8-K Item 1.05 requires a registrant to disclose a material cybersecurity incident within four business days of determining that it is material, describing the material aspects of the nature, scope, and timing of the incident and its material impact. A narrow exception exists when the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety. The requirement has applied since December 2023, with smaller reporting companies given until June 2024 to begin filing under Item 1.05.

Regulation S-K Item 106 requires annual disclosure in the 10-K of the processes for assessing, identifying, and managing material cyber risks, the material effects of cyber threats and prior incidents, and the board’s oversight of those risks. Those annual disclosures applied beginning with fiscal years ending on or after December 15, 2023.

Materiality is a recovery question in disguise

The rule does not let you stall. The materiality determination has to be made without unreasonable delay after discovery, so the pressure lands on the investigation, not on a calendar you control.

Walk the determination. To decide whether a reasonable investor would care, you have to bound the impact: which systems are affected, how long they will be down, whether data was altered or destroyed, and whether operations resume on data you can trust. Several of those inputs are recovery facts before they are anything else.

A team that cannot identify its last clean recovery point cannot honestly bound the recovery impact. It is left choosing between two bad options: disclose early on incomplete information, or wait while it tests restores and risks an unreasonable delay. The provable clean recovery point is the input that lets legal and the CISO put a defensible bound on that side of the impact, one of the larger unknowns in the early hours.

The four-business-day clock, step by step:

1. You discover an incident.
2. You investigate scope: what was accessed, what was changed, what you can recover.
3. You make the materiality determination, without unreasonable delay. This is the gating step.
4. The four-business-day clock starts here, at the determination.
5. You file the 8-K describing the material nature, scope, timing, and impact.

Step three is where recovery evidence shapes whether the next four days are a controlled disclosure or a scramble.

Related events count as one incident

The rule does not let an attacker’s campaign be sliced into immaterial pieces. The SEC defines a cybersecurity incident to include a series of related unauthorized occurrences, so several smaller events that turn out to be related must be assessed together for materiality.

Whether events are related is, again, a scoping and recovery question. If you cannot see how far the intrusion reached and which recovery points it touched, you cannot tell whether last month’s anomaly and today’s encryption are one incident or two. Understating that scope is how a disclosure becomes a misstatement after the fact.

The annual disclosure invites the same question

Item 106 is the slower-burning exposure. It asks you to describe, in writing and on the record, how you assess and manage material cyber risk and how the board oversees it.

A recovery program you cannot evidence produces vague Item 106 language. Vague language is fine until an incident, at which point the disclosure is read against what actually happened, and a gap between the two is the kind of thing that draws scrutiny. RPO Is Not Enough for Ransomware Recovery covers why backup metrics are not the recovery evidence this disclosure implies.

What legal should be able to ask the CISO now

The time to build this is before the clock starts. A general counsel preparing for Item 1.05 should be able to get a fast answer to a short list:

• Which Tier 0 and Tier 1 services have a current recovery point with clean-copy evidence?
• For those services, how far back is that clean point?
• Who is authorized to approve return to production, and what evidence do they sign against?
• Can we produce a timestamped record of the recovery decision after the fact?

If those answers take days to assemble, the materiality determination will too. Building that answer ahead of time is what the security-leader page is about: measuring the gap to the last proven clean recovery point so legal opens the materiality conversation with evidence, not a status meeting.

Sources

[1] U.S. Securities and Exchange Commission, SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, press release 2023-139, July 26, 2023

[2] U.S. Securities and Exchange Commission, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Small Entity Compliance Guide. Implements the final rules adopted July 26, 2023 (Release No. 33-11216; effective September 5, 2023)

[3] Elastio, Ransomware Recovery Starts With a Provable Clean Recovery Point

[4] Elastio, RPO Is Not Enough for Ransomware Recovery

[5] Elastio, Active Cyber Resilience for Security Leaders