On May 21, 2026, Debevoise published a two-year update to its Form 8-K cybersecurity incident disclosure tracker, covering the period since the SECโs cybersecurity rules took effect on December 18, 2023. The data captures a pattern that has emerged across the first two years of the rulesโ operation: voluntary disclosure under Item 8.01 is significantly outpacing mandatory disclosure under Item 1.05, and most incidents initially reported voluntarily never result in a subsequent material incident determination.
As of the trackerโs publication date, 29 issuers had made Item 1.05 filings โ the mandatory disclosure for cybersecurity incidents determined to be material โ while 50 issuers had made voluntary Item 8.01 filings for incidents where materiality had not yet been determined or was not asserted. Five issuers had filed under both items. The 79 total filings across 74 issuers represent a relatively small fraction of the public company universe, but they provide the clearest available picture of how SEC registrants are operationalizing the disclosure framework in practice.
What the Rules Require
The SECโs cybersecurity disclosure rules, adopted in July 2023 and effective for most registrants beginning December 18, 2023, created two distinct disclosure obligations on Form 8-K.
Item 1.05 โ Material Cybersecurity Incidents. When a registrant determines that a cybersecurity incident is material, it must file a Form 8-K under Item 1.05 within four business days of making that determination. The disclosure must describe the material aspects of the nature, scope, and timing of the incident, and its material impact or reasonably likely material impact on the registrant. The SEC has stated that registrants may not delay the materiality determination until after an investigation is complete โ the obligation arises when facts available to management are sufficient to support a materiality assessment, not when forensic certainty is achieved.
Item 8.01 โ Other Events (Voluntary Disclosure). Registrants may use Item 8.01 to disclose cybersecurity incidents that do not meet the materiality threshold for Item 1.05, or where the materiality assessment is still in progress. Item 8.01 filings are voluntary and carry no mandatory timeline, but they have been used frequently by companies that want to create a public disclosure record before completing the materiality analysis.
The rules also require annual disclosure in Form 10-K under new Item 1C, covering the registrantโs processes for assessing and managing material cybersecurity risks, the boardโs oversight of cybersecurity risk, and whether any material cybersecurity incidents occurred during the fiscal year and had a material impact on financial condition or results.
Reading the Two-Year Data
The 29-to-50 ratio between Item 1.05 and Item 8.01 filings reflects several dynamics operating simultaneously.
Companies are disclosing voluntarily before completing materiality assessments. The most common pattern in the tracker data is a company that files under Item 8.01 when an incident is first discovered โ signaling transparency and establishing a public disclosure record โ and then either files a subsequent Item 1.05 after completing its materiality analysis, or makes no further material incident disclosure because the investigation concludes the incident was not material.
This pattern reflects a strategic and legal judgment. Filing voluntarily under Item 8.01 early in an investigation reduces the risk of an enforcement finding that the company sat on a material incident and missed the four-business-day deadline. It also provides a contemporaneous record showing that the companyโs disclosure processes were functioning. If the incident later proves to be material, the earlier Item 8.01 filing demonstrates the company was not concealing the event.
Most voluntarily disclosed incidents never become Item 1.05 filings. Of the 50 Item 8.01 filings, only a small number resulted in a subsequent Item 1.05 material determination. This suggests either that companies are disclosing incidents voluntarily that turn out to be genuinely non-material, or that they are exercising significant discretion in the materiality assessment โ concluding investigations without material findings even when the initial incident appeared significant enough to warrant voluntary disclosure.
The SEC has signaled awareness of this pattern. In its May 2024 statement on cybersecurity incident disclosures, then-Director Erik Gerding cautioned that registrants should not allow the voluntary disclosure pathway to substitute for timely materiality determinations under Item 1.05. The concern is that companies may be using Item 8.01 as a safe harbor โ disclosing incidents to satisfy a transparency norm while avoiding the formal materiality determination that triggers the four-business-day clock.
The 29 Item 1.05 filings represent the clearest enforcement exposure. For the 29 incidents formally determined to be material, the four-business-day disclosure timeline applied. Any registrant that exceeded that timeline โ or that made an Item 1.05 disclosure that the SEC later found to be inadequate in its description of nature, scope, or impact โ faces enforcement risk. The SEC has not yet brought a formal enforcement action specifically for a late or inadequate Item 1.05 filing, but the agency has been reviewing disclosures and has made clear that enforcement is coming.
The Materiality Determination Problem
The central operational challenge under the SECโs cybersecurity rules is not disclosure mechanics โ it is the materiality determination itself. Under securities law, information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision, or if it would significantly alter the total mix of information available to investors.
Applying this standard to a cybersecurity incident in real time โ while an investigation is ongoing, before the full scope of data accessed is known, before the financial impact has been quantified, and while external forensic teams are still working โ is genuinely difficult. The SEC has acknowledged the difficulty but has not retreated from its position that registrants must make the determination promptly with information available, not wait for certainty.
What the two-year data suggests is that companies are resolving this difficulty in different ways. Some are disclosing voluntarily under Item 8.01 as a precautionary measure while the materiality analysis proceeds. Others are making Item 1.05 determinations within the four-business-day window without complete forensic information. Others are concluding, after investigation, that incidents initially thought to be significant did not meet the materiality threshold.
Each of these approaches carries different risk profiles:
Early Item 8.01, no subsequent Item 1.05: Risk is limited if the investigation genuinely concludes non-materiality and that conclusion is documented. Risk is elevated if the companyโs materiality analysis was superficial or if later evidence (litigation, regulatory investigation, insurance claims) suggests the incident was material when the determination was made.
Item 1.05 filed within four business days: Lower risk of enforcement for late filing, but disclosure will necessarily be based on incomplete information. The SEC permits โ and in some respects expects โ registrants to update disclosures as additional information becomes available, though it has not specified a formal amendment timeline.
Delayed materiality determination: Highest enforcement risk. If a company takes more than four business days from when management had sufficient information to make a materiality determination โ regardless of when the investigation is complete โ it has potentially violated the filing deadline.
Enforcement Trajectory
The SEC has not yet brought a primary enforcement action for failure to timely file under Item 1.05, but the enforcement trajectory is clearly toward that outcome. The two-year anniversary of the rulesโ effective date, combined with the Debevoise trackerโs publication, has generated renewed regulatory and practitioner attention to compliance gaps.
Several factors make SEC cybersecurity enforcement action probable in 2026 or 2027.
The SEC has been reviewing filings. The Division of Enforcement has reviewed cybersecurity 8-K filings since the rules took effect. Public comments by SEC staff have referenced awareness of late filings and inadequate disclosures, though no formal enforcement proceedings have been announced specifically for Rule violations under the cybersecurity rules.
Coordination with other enforcement actions. In cases where a companyโs cybersecurity incident resulted in parallel regulatory investigations โ HIPAA OCR, FTC, state attorneys general โ the SECโs own investigation of disclosure timing and adequacy is more likely. The coordination between federal agencies on significant cybersecurity incidents means that an Item 1.05 filing is frequently not the end of regulatory exposure but the beginning of multi-agency scrutiny.
The 10-K Item 1C annual disclosure obligation. The annual disclosure requirement has now been in effect for two full fiscal year cycles for most registrants. Companies that have disclosed material cybersecurity incidents under Item 1.05 must address those incidents in their 10-K Item 1C disclosures. Companies that have not made any cybersecurity disclosures must still comply with Item 1Cโs risk management process description requirements. Inadequate or boilerplate Item 1C disclosures โ particularly from companies that experienced significant incidents but claimed they were not material โ are a credible enforcement risk.
The SolarWinds enforcement precedent. The SECโs October 2023 enforcement action against SolarWinds and its CISO established that cybersecurity disclosure failures โ in that case, misrepresentations about security practices in SEC filings โ are actionable under the securities fraud provisions. While the specific charges were not under the new cybersecurity rules (which were not yet in effect), the action demonstrated the SECโs willingness to pursue cybersecurity-related disclosure failures aggressively.
What the Data Means for Compliance Programs
Companies that have not yet built mature disclosure processes around the SEC cybersecurity rules are operating with increasing enforcement exposure as the two-year mark passes and the agencyโs attention to compliance sharpens.
Operationalize the materiality assessment. The four-business-day deadline runs from the materiality determination, not from the incident discovery or forensic completion. Companies need a pre-defined materiality assessment framework โ a structured set of factors and thresholds โ that can be applied to a developing incident quickly. This framework should be approved in advance by the board or audit committee, not assembled ad hoc during an active incident.
Define escalation pathways. The CISO or security team discovering an incident and the general counsel or audit committee making the materiality determination are not the same people. The gap between discovery and determination must be bridged by an escalation protocol that moves information from incident response to legal and executive decision-making within hours. Companies that lack this pathway cannot reliably meet the four-business-day window.
Prepare disclosure templates. Item 1.05 filings require description of nature, scope, timing, and impact. Companies that draft disclosure language during an active incident โ while managing forensic response, vendor coordination, law enforcement liaison, and regulatory notification simultaneously โ face a difficult operational environment. Pre-drafted templates covering common incident types, with blanks for incident-specific facts, reduce the drafting burden when time is shortest.
Document the materiality determination. Whatever conclusion a company reaches about an incidentโs materiality, the reasoning should be documented contemporaneously. If a company concludes an incident is not material after initially disclosing voluntarily under Item 8.01, a written record of the factors considered and the basis for the conclusion is essential evidence if the determination is later challenged.
Review and update Item 1C disclosures annually. Item 1C disclosures should accurately describe the companyโs actual cybersecurity risk management processes โ not aspirational descriptions of controls that do not exist. Companies that experienced incidents in the prior year must describe them accurately and assess their impact honestly. Boilerplate Item 1C disclosures are a litigation and enforcement risk.
Reassess after incidents. After any incident that triggered voluntary or mandatory disclosure, the company should reassess whether its disclosure architecture โ escalation pathways, materiality framework, drafting templates, board involvement โ performed as designed. Post-incident review of the disclosure process, not just the security response, is an emerging best practice.
Two Years In: The Gap Between Good Practice and Median Practice
The two-year tracker data reflects, in the aggregate, a public company ecosystem that is still developing the internal processes necessary to comply reliably with the SECโs cybersecurity disclosure rules. The 79 total filings represent a meaningful body of disclosure experience, but the companies that have filed โ particularly the 29 Item 1.05 filers โ are those that experienced significant incidents. The much larger population of public companies that has not yet filed has not necessarily demonstrated compliance; it has simply not yet been tested.
For that population, the two-year anniversary is a useful prompt. The rules are not new anymore. The SEC has been clear about its expectations. Enforcement is probable. Companies that have treated the disclosure rules as a future compliance project rather than an operational reality are increasingly exposed โ and the gap between good practice and median practice is closing from both ends.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel regarding their specific compliance obligations.
