No one wants to imagine their company in the middle of a public cyber incident.
However, if you lead a public company today, you must. Not because it’s inevitable—but because the moment something breaks, the countdown starts.
The SEC’s four-day rule has added urgency to what was already a high-stakes scenario. And while the rule technically gives companies four business days to file a disclosure, most leadership teams don’t really have that long.
The real challenge isn’t timing. It’s alignment. Who decides what’s material? Who gets looped in—and when? Who signs off while the pressure’s rising?
It’s a leadership test.
For most companies, the problem isn’t a lack of expertise—it’s a lack of rehearsal. When timing, ownership, and trust aren’t practiced, even strong teams can freeze. That’s why I wanted to break down what the rule actually requires, where organizations tend to stall, and how to move faster—without scrambling.
Because the best defense isn’t speed. It’s clarity under pressure—and establishing a strong crisis management framework helps, too!
—Natalie Schubert, Daida CEO
What Is the SEC’s Four-Day Rule and What Does It Require?
The SEC’s four-day cyber rule, which took effect December 18, 2023, requires public companies to disclose material cyber incidents within four business days of determining the event is significant to investors.
This is a regulatory update to Item 1.05 of Form 8-K for companies subject to the Exchange Act of 1934. The rule is enforced by the SEC’s Division of Corporation Finance.
The final rule requires public companies to file an 8-K within four business days after determining that a cyber incident is material—not four days after the incident is discovered.
This distinction matters. The countdown clock starts at the moment of materiality determination, not breach detection. And that decision must be made “without unreasonable delay,” according to the SEC.
There’s no built-in grace period, even if investigations are ongoing.
This rule works alongside broader SEC cybersecurity rules, including annual disclosure requirements related to cyber risk governance. Together, these changes shift cybersecurity out of the IT silo—and into legal, financial, and executive accountability.
1. Leadership’s Role in the Process
The SEC cyber rule may give companies four business days to file a disclosure—but in reality, leadership rarely has that long.
Form 8-K is the final step. The real pressure lies upstream, in how teams detect incidents, determine materiality, and prepare a defensible public response—quickly.
This requires clarity—about who triggers internal escalation, who evaluates risk, and how quickly those roles come together under pressure.
That’s where most breakdowns begin. Confusion over materiality often stems from unclear ownership, fractured crisis communication, or leadership waiting too long to convene.
Management’s role isn’t to act as the final reviewer—it’s to ensure the entire process runs smoothly, from detection to decision to disclosure.
When those beats are rehearsed together, filings follow naturally. When they aren’t, day three arrives before anyone’s aligned.
2. How to Determine If a Cyber Incident Is Material
There’s no fixed threshold for when an incident is material. The SEC leaves it to leadership to decide whether a reasonable investor would view the event as significant.
That subjectivity is intentional—but it also raises the stakes. Delay or hesitation can be interpreted as a failure to fulfill your duty to begin assessing and managing material risk. Worse, it can suggest you’re minimizing something that could pose a substantial risk to the business.
To avoid that uncertainty, companies should establish internal decision triggers in advance—so teams don’t have to debate definitions when the clock is already ticking.
5 Signs an Incident May Be Material:
- Operational disruption: Has core business functionality been impaired or suspended?
- Reputational damage: Will the incident erode trust with investors, customers, or partners?
- Legal exposure: Could the event lead to litigation, regulatory action, or breach of contract?
- Third-party impact: Has a vendor breach materially affected your systems or data?
- Long-term risk: Does the event compromise competitiveness, intellectual property, or business continuity?
Mean-time-to-materiality—the window between incident detection and a materiality decision—is quickly becoming one of the most telling metrics in cyber readiness.
Teams that align legal, technical, and executive perspectives ahead of time make better calls—faster, and with less friction.
3. What to Include in Your SEC Cyber Disclosure
The disclosure requirements under Item 1.05 of Form 8-K are designed to inform—not expose.
The SEC doesn’t ask companies to share technical vulnerabilities. It asks for the material facts: the nature, scope, timing, and business impact of the incident. That’s what investors need to see. That’s what the rule is built to protect.
There are limits. If the disclosure would compromise security or public safety, or create a risk to national security, companies may request a delay—but only with approval from the U.S. Attorney General.
Even then, the bar is high. Most disclosures cannot be postponed simply because the facts are still developing or the organization fears reputational fallout.
What You Must Include:
- A plain-language summary of what happened—enough to describe business impact, not technical detail.
- Scope of the incident (systems affected, data types involved, continuity concerns) to the extent that helps an investor understand the impact.
- Timing of the event and when materiality was determined.
- How the incident has or may affect financial condition or operations.
What You Should Leave Out:
- Specific attack vectors, system vulnerabilities, or detailed forensics.
- Information that could aid threat actors or worsen exposure.
When in doubt, the SEC allows partial information—as long as the company updates its disclosure as more becomes known. What matters most is consistency. Legal, IT, investor relations, and executive messaging must align before the 8-K goes live.
That coordination often defines whether a company is seen as transparent—or evasive—under pressure.
4. Board Oversight and Governance Requirements
SEC rules don’t stop at the breach itself—they extend into how companies govern cyber risk at the highest level.
Public companies must now describe their board of directors’ oversight of cybersecurity in their annual 10-K filings—explaining how the board is informed, what structures are in place, and how leadership remains engaged over time.
This disclosure must be updated annually by the end of the company’s fiscal year and applies to both domestic and foreign private issuers. Passive awareness won’t suffice.
The expectation is clear: boards are accountable for understanding cybersecurity as an enterprise risk—not a siloed IT issue.
What this means in practice:
- Quarterly cyber briefings should be considered.
- Audit or risk committees may need revised charters to formally include cybersecurity oversight.
- Governance documents should show a clear process for how risk is escalated, discussed, and tracked over time.
If cyber risk is material enough to report, it’s material enough to govern—consistently, and in writing.
5. Limits on Delaying Disclosure
Delaying a cyber disclosure isn’t a strategic option. It’s a narrow legal exception—and one most companies won’t meet.
Only the U.S. Attorney General can authorize a delay, and only if the disclosure would pose a substantial risk to national security or public safety.
That’s it. Not ongoing investigations. Not unresolved technical forensics. Not reputational concerns.
Unless the incident meets the threshold for national security or public risk—and receives written AG certification—companies are expected to file on time, even if some details are still emerging.
The takeaway: Don’t build your process around exceptions. Build it around readiness. That means incident playbooks must assume full disclosure under pressure—and include a path to communicate clearly even when certainty is incomplete.
Building a Reliable Incident Disclosure Process
Compliance doesn’t start with Form 8-K. It starts with habits.
Fast, defensible disclosure isn’t just about policy—it’s about team reflexes. The most prepared organizations respond under pressure not because they memorize filings, but because they’ve practiced what the rules require, defined what counts as assessing and managing material risk, and made management’s role unmistakably clear.
To build that kind of readiness:
- Define your materiality criteria: Establish clear triggers—legal, reputational, operational—that signal when an incident may be material. Avoid debates in the moment by aligning ahead of time.
- Clarify leadership roles: Legal, IT, communications, investor relations, and the executive team must know who owns what—before the clock starts. A fast process depends on that clarity.
- Run quarterly disclosure drills: Repetition builds confidence. Use tabletop exercises and real-time role-play to rehearse decisions, test alignment, and identify friction before it matters.
Regulatory deadlines don’t give grace periods—but good preparation does. The goal isn’t just compliance. It’s composure.