Read the 8-K, Not the Headline: What SEC Item 1.05 Actually Requires

The single most important recurring document on the cybersecurity beat is not a vendor advisory or a threat-actor post. It is a form: the SEC's 8-K filed under Item 1.05. Since the Commission's cyber-disclosure rule took effect — adopted in 2023, with compliance for larger registrants from December 2023 — public companies have had a legal obligation to tell the market about material cyber incidents. Reading that rule precisely is the difference between covering a breach and repeating a rumor.

Here is what the rule actually says. Under Item 1.05, a registrant that experiences a cybersecurity incident must, once it determines the incident is material, file an 8-K within four business days describing the incident's nature, scope, and timing, and its material impact or reasonably likely material impact. The disclosure obligation turns on materiality — the same standard that governs other 8-K events — not on the mere fact that something happened.

The detail most coverage gets wrong is when the clock starts. It is not four days from the breach, and not four days from discovery. It is four business days from the company's determination that the incident is material — and the rule requires that determination be made without unreasonable delay. That structure is deliberate and consequential: it gives companies room to investigate before the clock runs, but it also creates the gap that breach reporters should always probe — how long between discovery and the materiality call?

Item 1.05 has a sibling that matters: Item 8.01, "Other Events." When an incident is not (or not yet) deemed material, a company may still disclose it voluntarily under Item 8.01. The choice of item is itself information. A filing under 8.01 rather than 1.05 is the company saying, in effect, "we are telling you, but we are not calling this material" — and that framing is worth as much scrutiny as the incident itself.

What the rule pointedly does not require is also instructive. Item 1.05 does not demand technical attribution, does not require naming the threat actor, and explicitly allows a registrant to omit details that would impede an investigation or harm national security where the U.S. Attorney General so determines. So a filing can be fully compliant and still tell you very little about the how. The discipline for a reader is to separate confirmed from alleged, disclosed from reported, and material — in the SEC's specific sense — from merely alarming. Read the 8-K, not the headline: it is often more careful, and more revealing, than the coverage built on top of it.