Two-plus years of actual filing data now tell a clearer story. Companies have adjusted how they file, regulators have drawn enforcement lines, and the governance gaps that create liability are coming into focus. What follows is a practical read of where things stand — and what it means for boards and executive teams who need to be ready before the next incident, not during it.
TL;DR
- Voluntary Item 8.01 filings now outnumber Item 1.05 disclosures — 50 issuers vs. 29 over two years — following the SEC's May 2024 materiality guidance
- Materiality determination is the highest-stakes compliance decision, not detection — the four-day disclosure clock starts at that call
- The Flagstar Bancorp case ($3.5M penalty) proved that inaccurate disclosures carry consequences regardless of which filing rule applies
- Third-party incidents and operational technology attacks dominate what's being disclosed
- The Atkins-led SEC is pursuing deregulation, but disclosure accuracy obligations exist independent of Item 1.05 — boards cannot treat regulatory softening as permission to stand down
How Filing Behavior Has Shifted: Item 1.05 vs. Item 8.01
The Pre-Guidance Problem
Before May 2024, the filing landscape was muddled. According to Wilson Sonsini's Known Trends tracker, roughly 72% of cyber-related Form 8-K filings were filed under Item 1.05 — including incidents companies simultaneously described as immaterial or undetermined. That created a signal problem: investors couldn't tell whether an Item 1.05 filing meant the company had concluded the incident was material, or simply chose the wrong box.
The May 2024 Guidance
On May 21, 2024, SEC Division of Corporation Finance Director Erik Gerding issued a statement clarifying the distinction: Item 1.05 is exclusively for incidents a company has determined to be material. Voluntary disclosures — where materiality is undetermined or the company has concluded immateriality — belong under Item 8.01.
The filing pattern shifted almost immediately:
| Period | Item 1.05 | Item 8.01 / Other |
|---|---|---|
| Pre-guidance | ~72% | ~28% |
| Post-guidance | ~34% | ~66% |
| Two-year total (as of May 2026) | 29 issuers | 50 issuers |
Source: Wilson Sonsini Known Trends; Debevoise two-year tracker
The Escalation Pathway in Practice
The governing pathway now works like this: a company detects an incident, files under Item 8.01 while the investigation is active, then files under Item 1.05 within four business days of a materiality determination. The Item 1.05 filing may reference the earlier Item 8.01 but must independently satisfy Item 1.05's requirements.
Notably, most Item 8.01 filings have not escalated to Item 1.05. That pattern raises legitimate questions about whether Item 8.01 is being used as intended — or whether it has become an effective shelter from the stricter requirements Item 1.05 carries.
The governance implication is direct: which item you file under is a legal and strategic decision, not a compliance checkbox. Clear decision rights and escalation protocols need to be in place well before an incident occurs.
Materiality Determination: The Central Compliance Challenge
What "Material" Actually Means Here
The SEC's materiality standard applies traditional securities law: would a reasonable investor consider the information important, or would it significantly alter the total mix of available information? What trips companies up is the scope of that assessment.
Materiality is not limited to financial impact. The SEC's guidance requires companies to evaluate:
- Reputational harm and customer trust
- Impact on vendor and partner relationships
- Litigation and regulatory exposure
- Competitive consequences
- Operational disruption
Financial condition and results of operations are on the list. They're just not the whole list.
The CDIs and the Timing Problem
On June 24, 2024, Corp Fin issued five new Compliance and Disclosure Interpretations (CDIs) under Section 104B, addressing ransomware, insurance recoveries, and aggregation of related immaterial incidents. The practical message: companies cannot use ongoing investigation as indefinite cover for not reaching a conclusion.
Research from Debevoise found:
- Average time from detection to Item 1.05 filing: 7.88 business days
- Median: 4.5 business days
- 50% of Item 1.05 filers filed at least one amendment
That amendment rate matters. Companies are permitted to file a foundational disclosure and amend once more information is available, provided they don't unreasonably delay.
77% of Item 1.05 filers disclosed data access or exfiltration, yet only six disclosed the nature of the compromised data in the initial filing. Nine did so later, by amendment. Initial filings are often incomplete by design, with amendments doing the heavier lifting.
The Flagstar Materiality Process Gap
Those filing patterns aren't just statistical curiosities — the Flagstar enforcement action shows what regulators actually do when they spot them. The SEC found that Flagstar's internal procedures lacked:
- Defined responsibility for who makes the materiality assessment
- Articulated factors to consider in that assessment
- Documentation requirements for how the determination was reached and communicated
That's not just a disclosure failure. It's a governance design failure — the kind that boards can prevent by establishing clear ownership and documentation standards before an incident occurs.
Enforcement Actions Setting the Disclosure Standard
Flagstar Bancorp: The Accuracy Baseline
On December 16, 2024, the SEC issued a settled cease-and-desist order against Flagstar Bancorp carrying a $3.5 million civil penalty. The core allegation: Flagstar's Form 8-K stated it had "no evidence of unauthorized access to customer information" — when the company already knew attackers had accessed and exfiltrated sensitive customer data.
The order cited violations of current reporting requirements and Rule 13a-15(a) disclosure controls and procedures. This enforcement used pre-Item 1.05 rules — which means disclosure accuracy obligations are not contingent on which item you file under.
SolarWinds: Where the SEC's Reach Ends
The July 2024 SDNY ruling in SEC v. SolarWinds trimmed the SEC's enforcement toolkit significantly. Judge Engelmayer dismissed most claims, including the novel theory that cybersecurity control deficiencies violated internal accounting controls requirements under the Securities Exchange Act.
This ruling matters — it limits the SEC from treating cybersecurity program gaps as accounting controls violations. But it does not eliminate liability under disclosure controls and procedures requirements, which Flagstar confirms remain fully active.
The AT&T Comment Exchange
The SEC's review of AT&T's Item 1.05 filing showed what regulators consider insufficient. Two questions drove the exchange: whether AT&T had actually determined materiality before filing, and whether the disclosure adequately described the nature, scope, and type of data compromised.
AT&T's response confirmed the incident involved exfiltration of call and text records for nearly all wireless customers over a six-month period in 2022.
That exchange established a practical standard: Item 1.05 is not a placeholder. Filing under it requires a documented materiality determination and disclosure specific enough to hold up under SEC scrutiny.
Incident Types Shaping What Gets Disclosed
The first-year filing data shows the actual profile of enterprise cyber risk, and it's broader than most boards expect.
Incident type breakdown (first year, 55 incidents):
| Incident Type | Share of Filings |
|---|---|
| Operational technology attacks | 55% |
| Corporate data theft | 40% |
| Consumer data access | 33% |
| Third-party incidents | 26% |
| Ransomware | 18% |
Source: Wilson Sonsini Known Trends
No filings in the first year involved DDoS attacks, terrorism, or cyber-related material weakness.
The Third-Party Disclosure Problem
At 26% of filings, third-party and supply chain incidents stand out. When a vendor or service provider is the breach source, the affected company often lacks direct visibility into scope, timeline, or data impact.
That blind spot makes materiality assessment harder and disclosure timelines unpredictable. The practical fix is contractual: contractual notification rights that require third parties to report incidents promptly, with enough detail for the public company to assess its own exposure.
Regulatory Uncertainty Under the Atkins-Led SEC
Paul Atkins was confirmed as SEC Chairman on April 9, 2025. His agency is pursuing a broader deregulatory agenda, and that agenda has reached cybersecurity disclosure.
In January 2026, Chairman Atkins issued a statement inviting public comment on reforming Regulation S-K. Commenters — including trade associations and law firms — raised Item 106 of Regulation S-K and Item 1.05, with some calling for repeal or modification of the four-business-day filing requirement.
What's verified vs. what's still uncertain:
- ✅ SEC opened a broad Regulation S-K comment process
- ✅ Commenters raised Item 1.05 reform as a priority request
- ❌ The SEC has not proposed repeal or amendment of Item 1.05
The SEC is not unified on this. Commissioners Peirce and Uyeda voted against the 2023 cybersecurity disclosure rules, then issued a joint statement on October 22, 2024 criticizing all four enforcement actions against SUNBURST downstream victims — Unisys, Avaya, Check Point, and Mimecast, totaling over $6.9M in penalties — and warned against hindsight review of cyber disclosures.
That internal dissent matters, but it does not change the current compliance picture.
What boards should not conclude from the deregulatory signals:
- Item 1.05 is still in force — no amendment or repeal has been proposed
- The broader Form 8-K obligation to make accurate current reports predates Item 1.05 entirely
- Flagstar's enforcement action was brought under rules that existed before the 2023 rules took effect
- Standing down on disclosure governance while reform is pending creates legal exposure, not a safe harbor
What Boards and CISOs Must Do Now
Two years of filing data point to the same gap, repeatedly: companies get caught without a documented, defensible materiality determination process. The Flagstar case didn't just penalize a bad disclosure — it penalized the absence of a process for making the decision in the first place.
Build the Materiality Framework Before the Incident
A defensible materiality assessment requires three components:
- Documented decision rights — who makes the materiality call, and at what point in the investigation
- Defined escalation thresholds — what information (data type, operational impact, legal exposure) triggers engagement with disclosure counsel
- A written record — how the determination was reached, what factors were weighed, and who was notified
This is not a legal function alone. It's a governance design problem that connects the CISO to legal counsel to the audit committee along a predetermined path.
Connect Incident Response to Disclosure Decision-Making
Boards and audit committees need to know in advance:
- How cyber incidents flow from the CISO to legal counsel to the disclosure committee
- What criteria trigger board-level notification
- Who speaks externally, and when
- What the first hour of board communication looks like
When those escalation rules are pre-approved, organizations spend incident time solving the problem rather than negotiating authority. Without them, the first thirty minutes often sets the tone for whether the next two weeks are managed or reactive.
Get the Governance Infrastructure in Place
For boards that haven't mapped these decision rights — or organizations navigating a CISO transition — the gap between current posture and what the SEC now expects is measurable and fixable.
Tyson Martin works with boards and executive teams to clarify decision rights, build inspectable escalation processes, and prepare leadership for credible, defensible disclosure under regulatory scrutiny. That work includes:
- A board-level disclosure playbook aligned to Item 1.05's four-day timing requirements
- Tabletop exercises that test executive decision-making under real incident pressure
- Governance frameworks designed to hold up when the SEC comes looking
Frequently Asked Questions
What triggers an SEC Form 8-K filing under Item 1.05?
Item 1.05 is triggered when a public company determines that a cybersecurity incident is material. The four-business-day filing clock runs from the date of that materiality determination — not from detection or confirmation of the incident itself.
What is the difference between an Item 1.05 and an Item 8.01 cybersecurity Form 8-K?
Item 1.05 is reserved for incidents a company has determined to be material. Item 8.01 covers voluntary disclosure of incidents that are immaterial or where materiality hasn't yet been determined. Since the May 2024 SEC guidance, Item 8.01 filings have outpaced Item 1.05 filings — 50 issuers to 29 over two years.
What factors determine whether a cybersecurity incident is "material" under SEC rules?
Materiality goes beyond financial impact. Registrants must weigh reputational harm, customer and vendor relationship effects, litigation exposure, regulatory consequences, and competitive risk — alongside financial condition and results of operations.
What are the consequences of filing an inaccurate cybersecurity disclosure on Form 8-K?
The Flagstar Bancorp case is instructive: the company settled for a $3.5M civil penalty after disclosing "no evidence of unauthorized access" when it already knew customer data had been exfiltrated. Violations of disclosure accuracy and controls obligations can result in penalties regardless of which Form 8-K item was used.
How should boards prepare for cybersecurity disclosure obligations under Item 1.05?
Boards should have documented escalation protocols and defined decision rights for materiality assessment in place before an incident occurs. That means regular communication between the CISO and disclosure counsel. The Flagstar case made clear that procedural gaps in the materiality process are themselves an enforcement risk — not just the disclosure that follows.
