← Back to Blog
SECComplianceRisk ManagementIncident ResponseGovernance

The SEC's Four-Day Clock Starts on Materiality, Not Discovery

Lattix branded cover for The SEC's Four-Day Clock Starts on Materiality, Not Discovery. /17 section number, four business days statistic and Item 1.05 metadata, IBM Plex Mono on dark grid background, surgical yellow accent on the materiality determination node in a decision flow strip.

The Securities and Exchange Commission's cybersecurity disclosure rule under Form 8-K Item 1.05 took effect December 18, 2023 for non-smaller reporting companies. The rule requires that a registrant disclose a material cybersecurity incident within four business days of the materiality determination. The legal community has documented the rule's text and the early enforcement signals. The operational gap that practitioners hit is the gap between the materiality determination and the evidence on which the determination relies.

The Commission has emphasized in adopting release and subsequent interpretive guidance that the four-day clock begins when the registrant determines an incident to be material. That determination cannot be unreasonably delayed. The relevant question, in practice, is what evidence supports the materiality call at the moment the call is made, and how confident the disclosure committee can be in the answer.

What Item 1.05 actually requires

The text of Item 1.05 requires disclosure of the nature, scope, and timing of the incident, along with the material impact or reasonably likely material impact on the registrant. The disclosure must be filed on Form 8-K within four business days of the determination of materiality. A delay is available only when the Attorney General notifies the Commission in writing that disclosure would pose a substantial risk to national security or public safety.

The Commission rejected proposals to peg the clock to discovery. The Commission's reasoning, set out in the adopting release for Release Nos. 33-11216 and 34-97989, is that the materiality determination is the operative event for disclosure under the federal securities laws. Discovery without a materiality call is not yet a disclosure trigger. A materiality call without supporting analysis is not a defensible disclosure.

The text places the burden of the analysis on the registrant. The Commission's interpretive guidance and the staff Compliance and Disclosure Interpretations issued through 2024 and 2025 make the same point repeatedly. The registrant must reach a materiality determination promptly. The registrant must be able to support the determination with evidence at the time the determination is made.

The materiality analysis the rule presumes

Materiality under the federal securities laws is the standard articulated in TSC Industries v. Northway and refined through Basic v. Levinson. The information would be material if a reasonable investor would consider it important in making an investment decision, or if the omission of the information would significantly alter the total mix of available information. In a cybersecurity incident, the inputs to that analysis are the scope of the data accessed or affected, the operational impact on the registrant's business, and the reasonably likely downstream consequences for customers, contracts, and revenue.

Each of those inputs is an evidentiary question. Scope of data accessed depends on what the security team can prove about read events during the incident window. Operational impact depends on what systems were degraded and for how long. Downstream consequences depend on the contracts and obligations attached to the affected data, which themselves depend on knowing which data was affected.

The four-day clock presumes that the registrant can answer the first input in time. In current architectures, that presumption is generous.

The evidence question

A traditional perimeter-centric architecture answers the "what did the attacker see" question through application logs, network capture, endpoint forensics, and stitched correlation across SIEM, EDR, and IAM telemetry. The construction takes days for clean incidents and weeks for messy ones. The output is a probability statement, not a record.

The Commission's adopting release acknowledges that early-stage materiality calls may be made before all forensic detail is settled. The staff's guidance allows for amendments under Item 1.05(c) when material new information becomes available. Neither concession removes the underlying tension: a registrant that cannot quickly answer what data was read or modified is a registrant making materiality calls with low-confidence inputs and exposed to amendment risk on every call.

The 2024 enforcement actions against Unisys, Avaya, Check Point Software, and Mimecast under the cybersecurity disclosure regime made the evidentiary point operationally. The actions reached settlements totaling more than $7 million on disclosure-related findings, with the Commission citing materially misleading characterizations of cybersecurity incidents rather than the underlying incidents themselves. The disclosure that survives enforcement is the disclosure backed by evidence at the time the disclosure was made.

How data-centric architecture changes the inputs

The architecture that turns the "what did the attacker see" question from a forensic reconstruction into a query against the data is object-level cryptographic enforcement plus immutable lineage. Every data object carries its own encryption and policy. Every read event traverses a policy decision point that releases the wrapping key against an attribute claim. Every release is recorded in a Merkle-tree lineage chain in tamper-evident audit storage.

Lattix Technologies binds policy to data objects through attribute-based access control (ABAC) at the policy enforcement point, post-quantum key encapsulation through ML-KEM-768 and ML-KEM-1024, and Merkle-tree lineage in tamper-evident audit storage. When an incident response team needs to answer the materiality input questions, the audit chain is the answer. The team queries the lineage for releases during the incident window, filters by attribute claim or principal, and produces a defensible scope statement directly from the cryptographic record.

The materiality determination still requires judgment. The architecture does not replace the disclosure committee. It changes the inputs to the committee's deliberation from a probability statement built from heterogeneous logs to a query result from the data itself. A four-business-day clock becomes operationally tractable when the evidence on which materiality rests is available in hours.

What CISOs and CFOs should align before the next incident

Three coordination points between the security organization and the finance organization carry the disclosure analysis under Item 1.05.

The first is the materiality determination framework. The disclosure committee should know in advance what classes of data trigger material impact at what scope, what operational degradation triggers material impact at what duration, and what contractual exposure profiles trigger material impact for which customer cohorts. The framework should be written down before an incident, not assembled during one.

The second is the evidence access path. The security team should be able to produce, in hours, a scope statement that names the data objects accessed during a defined window, the principals who accessed them, and the attribute claims that authorized each access. If the architecture cannot produce that statement, the disclosure committee is operating on inference and the four-day clock is running against inference.

The third is the amendment posture. Item 1.05(c) requires amendment when materially new information becomes available. A registrant whose initial filing rested on inference will face more amendments than a registrant whose initial filing rested on cryptographic evidence. The Commission staff has signaled in public remarks that the pattern of amendments will inform enforcement attention.

The architectural argument

The SEC rule does not require any particular technical architecture. The rule requires accurate disclosure within a fixed window after a materiality determination. The architecture that produces accurate inputs to that determination is the architecture that wins under the rule. Data-centric controls produce those inputs natively. Perimeter-centric controls produce them with effort, with gaps, and with amendment risk on the back end.

The four-day clock is a forcing function for the inputs, not for the outputs. Registrants that build the inputs ahead of the next incident will file once and stand on the filing. Registrants that build the inputs during the incident will file under pressure and amend under scrutiny. The architectural decision is upstream of every disclosure.

References

← Back to Blog