The SEC Cybersecurity Disclosure Rule: Form 8-K Item 1.05 and Regulation S-K Item 106

When the SEC adopted its cybersecurity disclosure rules in 2023, it moved cyber risk out of the IT closet and into the boardroom and the filing cabinet. Public companies now owe investors a timely account of material incidents and an annual picture of how they govern cyber risk. Z Cyber runs that disclosure-readiness program for registrants as their operating partner, using the Glance platform to keep the evidence current.

Most cybersecurity regulation tells you what controls to deploy. The U.S. Securities and Exchange Commission took a different path. Its 2023 rules do not hand registrants a control checklist. They require disclosure: tell investors when a material incident has occurred, and tell them each year how the company assesses, manages, and governs cyber risk. That framing puts the obligation squarely on process and accountability rather than on any single firewall configuration.

For public companies, and especially for financial-services registrants who already carry overlapping supervisory expectations, the practical question is not whether to comply but how to operationalize compliance so a material-incident clock and an annual narrative are both defensible. Z Cyber operates that program for clients as a forward-deployed security team, implementing and running the Glance platform so the disclosure machinery is ready before an incident forces the question.

What the SEC adopted in 2023

In July 2023 the SEC adopted final rules on cybersecurity disclosure for public companies. The rules created two distinct obligations that work together. The first is incident-driven and lives on Form 8-K as new Item 1.05. The second is periodic and lives in the annual report on Form 10-K through additions to Regulation S-K as Item 106.

The deliberate design choice across both is emphasis on materiality, governance, and timely disclosure rather than prescriptive technical requirements. The Commission did not mandate specific safeguards, encryption standards, or response playbooks. It required that registrants disclose material events promptly and describe their own risk-management and oversight practices honestly. The burden of judgment, therefore, sits with the registrant and its board.

Form 8-K Item 1.05: disclosing a material incident

Item 1.05 requires a registrant to disclose a cybersecurity incident that it determines to be material. The disclosure must describe the material aspects of the incident's nature, scope, and timing, along with its material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

The trigger is a materiality determination, not the discovery of an incident. A company can experience an event and investigate it without yet owing an 8-K. The clock that matters is the one that starts at the materiality decision. The Item 1.05 Form 8-K is generally due within four business days after the registrant determines that the incident is material. Crucially, that materiality determination itself must be made without unreasonable delay after discovery, which closes the obvious loophole of simply never getting around to deciding.

There is one narrow exception. If the U.S. Attorney General determines that disclosure poses a substantial risk to national security or public safety, the SEC permits a limited delay. This is not a routine extension a company can request for convenience. It is a national-security carve-out invoked through the Department of Justice.

Regulation S-K Item 106: the annual governance narrative

Item 106 lives in the annual report on Form 10-K and is fundamentally about transparency into how the company runs its cyber program over time. It requires registrants to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats. This is the operational half of the disclosure regime.

Item 106 also requires governance disclosure. Registrants must describe the board of directors' oversight of cybersecurity risk, and they must describe management's role in assessing and managing material risks from cybersecurity threats. The rule pushes companies to articulate the chain of accountability: who at the management level owns the program, and how the board exercises oversight over it. A company that cannot describe these things coherently in its 10-K has a governance problem, not merely a disclosure problem.

Dimension	Form 8-K Item 1.05	Regulation S-K Item 106
Filing	Current report (Form 8-K)	Annual report (Form 10-K)
Trigger	Determination that an incident is material	Annual reporting cycle
Focus	Nature, scope, timing, and material impact of the incident	Risk-management processes and board and management oversight
Timing	Generally within four business days of the materiality determination	With each annual report
Underlying duty	Decide materiality without unreasonable delay after discovery	Maintain and accurately describe a real governance structure

Who has to comply, and the smaller-company timeline

The rules apply to registrants, the companies that file periodic reports with the SEC. That population includes financial-services registrants, technology companies, industrials, and any other public company subject to the reporting requirements of the federal securities laws. If a company files 10-Ks and 8-Ks, these rules reach it.

The SEC recognized that the smallest filers needed runway. Smaller reporting companies received additional time before the Item 1.05 incident-disclosure requirement applied to them. The annual Item 106 disclosures phased in through the normal 10-K cycle. The phase-in periods have since elapsed for the broad population of registrants, so the practical reality today is that both obligations are live and examiners expect compliance, not preparation.

Why this is harder than it looks for financial-services registrants

The four-business-day window is not the hard part. The hard part is everything that has to happen before the clock even starts. A registrant must detect an event, escalate it to the people who can judge materiality, gather enough facts about nature and scope and likely impact to make that judgment, and document the reasoning. All of that has to occur without unreasonable delay, which means the process cannot depend on a single person noticing an email.

Financial-services registrants carry an extra layer of difficulty because they already sit under overlapping cyber expectations. A New York-regulated institution, for example, must reconcile SEC disclosure timing with separate state cybersecurity obligations, a tension we unpack in our NYDFS Part 500 compliance checklist. A single incident can implicate several reporting regimes with different clocks and different audiences, and a disclosure that satisfies one regulator can create exposure under another if the determinations are not coordinated.

Item 106 raises a quieter but equally consequential risk. The 10-K narrative must describe processes and oversight that genuinely exist. A company that writes an aspirational description of board oversight it does not actually practice has created a documented gap between its disclosures and its reality, which is precisely the kind of inconsistency that invites scrutiny. The annual narrative and the actual program have to match.

How Z Cyber operationalizes SEC disclosure readiness

Z Cyber operates as a cybersecurity operating partner rather than a tooling vendor. For public-company clients, a dedicated forward-deployed team stands up and runs the disclosure-readiness program on the Glance platform, so the obligations of Item 1.05 and Item 106 are met by a working process rather than a binder that gets dusted off after an incident.

On the incident side, that means a defined escalation path from detection to a disclosure committee, a structured materiality-determination workflow that captures the facts and the reasoning behind each decision, and a contemporaneous evidence trail that demonstrates the determination was made without unreasonable delay. When the four-business-day clock starts, the supporting record already exists.

On the governance side, Glance maintains the living documentation of risk-assessment processes, control ownership, and board reporting cadence that Item 106 expects a registrant to describe. Because the platform tracks the program continuously, the 10-K narrative reflects what the company actually does. Boards that want to strengthen that oversight story can pair this with the practices in our cybersecurity board reporting guide. We work this way across regulated sectors, and our financial-services practice is built specifically for registrants juggling SEC disclosure alongside banking and state cyber rules.

The bottom line

The SEC's 2023 rules reward companies that treat cybersecurity as a governed, evidenced discipline and punish companies that treat disclosure as an afterthought. Item 1.05 demands a materiality decision made promptly and a four-business-day disclosure that follows. Item 106 demands an honest annual account of how the program is run and overseen. Neither obligation can be satisfied by technology alone, because both turn on process, judgment, and documentation. That is the work Z Cyber takes on for its clients, running the program on Glance so the disclosure posture holds up under investor and regulator scrutiny. The official rule text is available at sec.gov.