On July 26, 2023, the SEC adopted rules requiring public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining that an incident is material. The rules took effect for large filers in December 2023. By mid-2024, smaller reporting companies were also required to comply.

The rules are now fully operational. Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents. The SEC has settled multiple enforcement actions, launched a dedicated Cyber and Emerging Technologies Unit, and made clear that cybersecurity disclosure is no longer a soft obligation. It is a hard regulatory requirement with real enforcement consequences.

And yet most public companies are not prepared for the timeline.

Four Days Is Not a Long Time

Walk through what four business days actually looks like when a material incident occurs. Day one: the incident is detected, or in many cases, it is not detected immediately and the clock has already started. Day two: the security team is investigating. Legal counsel is looped in. The question of materiality is being debated. Day three: the CFO, General Counsel, and CISO are in a room together — if a room can be arranged — working through a framework that may or may not exist. Day four: the Form 8-K is due.

The materiality problem: Determining whether an incident is "material" is not a technical decision. It requires input from the CFO, General Counsel, CISO, CIO, and front-line business leaders. It requires a documented framework. It requires a process that has been tested before the incident occurs — not assembled under pressure during it.

Most companies do not have that framework. PwC research on the rules found that clients who ran disclosure preparedness exercises consistently discovered they were less ready than they believed. The gap is not usually in the security function. It is in the governance layer — the escalation paths, the materiality definitions, the documented chain from detection to board notification to regulatory filing.

What the Rules Actually Require

The SEC framework has two primary obligations. First, Form 8-K Item 1.05 requires disclosure of material incidents within four business days of the materiality determination, describing the incident's nature, scope, and timing, and its material or reasonably likely material impact on the company. Second, Form 10-K Item 106 requires annual disclosure of the company's processes for assessing and managing material cybersecurity risks, the board's oversight role, and management's expertise in cybersecurity.

That second obligation is where most companies have the softest ground. The annual 10-K disclosure requires an honest description of what the board actually does to oversee cybersecurity risk. Not what the policy says. Not what the CISO presents. What actually happens.

4
business days to file after materiality determination
80
Form 8-K cyber disclosures filed by early 2025
$8M+
in SEC enforcement penalties settled to date

The Board's New Liability

Columbia Law School research found that boards without cybersecurity expertise engage in symbolic oversight rather than substantive governance. The SEC rules have effectively made symbolic oversight a disclosed liability. When a company describes its board's cybersecurity oversight in a Form 10-K, that description is now part of the public record — and investors, plaintiff attorneys, and regulators can assess it against what actually happened when an incident occurred.

A board that receives a quarterly CISO briefing and nods along has a cybersecurity oversight process. A board that can ask substantive questions about actual attack surface coverage, remediation timelines, and validated security posture has a different kind of governance — and a different kind of defensibility when something goes wrong.

Knowing Your Posture Before the Incident

The four-day clock is manageable if a company knows its security posture continuously. The materiality determination is faster when you understand your actual exposure. The disclosure is more accurate when you can describe what was compromised against a backdrop of what was validated. The board oversight is more substantive when there is real data behind it.

The companies that struggle under these rules are the ones trying to reconstruct their security posture in real time during an incident — pulling together data that should have been available continuously, making materiality judgments without a tested framework, and filing disclosures that reflect the chaos of the moment rather than the clarity of preparation.

The readiness test: Can your company answer the following questions right now, without convening a meeting? What is the current state of your external attack surface? What critical vulnerabilities have been validated as exploitable in the last 30 days? What is the blast radius if your VPN credentials are compromised? If the answer to any of these requires a meeting, your four-day clock starts before you are ready.

The SEC rules changed the stakes for cybersecurity governance. They did not change the underlying security problem. What they did was make the connection between security posture and legal exposure explicit — and enforceable. The companies building continuous validation into their security programs are not just doing better security. They are building the infrastructure that makes regulatory compliance possible under realistic incident timelines.

See what continuous testing finds in your environment.

Tadpole deploys autonomous agents that simulate real adversaries — 24/7, across your entire attack surface.

Request early access →