Key Takeaways
Two years after the May 21, 2024 statement by the Securities and Exchange Commission’s (“SEC”) Division of Corporation Finance clarifying the intended use of Item 1.05 of Form 8-K for cybersecurity incident disclosures, voluntary Item 8.01 cybersecurity filings (where materiality has not yet been determined) have significantly outpaced Item 1.05 filings (for material cybersecurity incidents) and most incidents initially disclosed under Item 8.01 have not subsequently resulted in an Item 1.05 filing. For additional background and early market practice, see our February 11, 2025 Debevoise In Depth article.
Background. In July 2023, we published a post summarizing the cybersecurity disclosure rules adopted by the SEC for Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Under these rules, Item 1.05 of Form 8-K requires U.S. public companies to disclose material cybersecurity incidents. We have been monitoring Form 8-K filings under the SEC requirements since the rules went into effect on December 18, 2023. This chart includes links to each of these filings, as well as the relevant dates and amendments (if any), updated as of May 21, 2026, together with brief summaries of each Item 1.05 disclosure. We periodically update the Debevoise Data Blog to reflect new Form 8-K filings under Item 1.05.
The May 2024 SEC guidance. In the first year following the adoption of the rules, the market lacked a clear consensus on when Item 1.05 was to be used to disclose cybersecurity incidents. Although Item 1.05 was intended for material cybersecurity incidents, a number of Item 1.05 filings made before the SEC’s May 2024 guidance generally stated that the applicable incident had not had, or was not reasonably likely to have, a material impact on the registrant’s financial condition or results of operations, potentially diluting the informational value of Item 1.05 disclosure in practice.
On May 21, 2024, the former Director of the SEC’s Division of Corporation Finance issued a statement clarifying that Item 1.05 is intended for cybersecurity incidents that a registrant has determined are material. Where a registrant voluntarily discloses an incident that is not material, or for which materiality has not yet been determined, the Division of Corporation Finance encouraged disclosure under a different item of Form 8-K (for example, Item 8.01) or through other investor communications. If a registrant initially discloses an incident under Item 8.01 (or by some other means) and later determines the incident is material, the registrant should file an Item 1.05 Form 8-K within four business days of that subsequent materiality determination.
Updated trends and filing statistics (two-year update). The May 2024 guidance has had a noticeable effect on filing practices: more registrants have used Item 8.01 filings to disclose cybersecurity incidents, and Item 1.05 filings more frequently identify specific material impacts, either in initial disclosures or through subsequent amendments. This stands in contrast to the pattern of early Item 1.05 filings that frequently disclaimed materiality altogether. Following the SEC’s guidance, registrants appear to be using Item 1.05 more consistently only for those incidents where they have reached a definitive materiality conclusion.
Since the SEC’s clarifying statement, as of May 21, 2026, there have been 29 issuers that have made Item 1.05 filings and 50 issuers that have made Item 8.01 filings. Only five issuers have made disclosures under both Item 1.05 and Item 8.01. In these cases, each issuer initially disclosed the incident under Item 8.01 and later filed under Item 1.05 after determining the incident was material. Most incidents disclosed under Item 8.01, however, have not later resulted in an Item 1.05 filing. This suggests that, in practice, registrants are relying on Item 8.01 to communicate cybersecurity incidents to the public, calling into question the necessity of a separate Item 1.05 requirement. Moreover, even after the May 2024 guidance, some Item 1.05 filings have continued to state that the registrant has not yet determined the incident’s ultimate financial impact, or that the incident is not expected to have a material impact on its financial condition or results of operations, calling into question the usefulness of a separate Item 1.05 requirement.
Current SEC posture. Under the leadership of Paul Atkins since January 2025, the SEC is generally pursuing a deregulatory agenda. For example, SEC staff engaged with industry associations in 2025 about the effectiveness of the Item 1.05 Form 8-K requirements, and in January 2026, the SEC requested comments on all items of Regulation S-K (including cybersecurity governance) as part of a comprehensive effort to streamline public company reporting requirements. As part of this latter effort, industry associations and corporate governance professionals have renewed their call for repeal of Item 1.05, including in a joint comment letter submitted by leading banking trade associations and a separate comment letter submitted by the Society for Corporate Governance prepared with our input. More broadly, in the Regulation S-K reform comment letters, rescission or substantial reform of Item 1.05 was among the most commonly requested changes. However, at this time, it is unknown whether the cybersecurity disclosure rules adopted by the SEC in 2023 will be added to Chair Atkins’ long list of desired regulatory reforms.
We will continue to monitor developments in cybersecurity incident disclosure regulations. Our Cybersecurity Incident Disclosure Tracker, updated as of May 21, 2026, can be found here.
***
To subscribe to the Data Blog, please click here.
The cover art for this blog post was generated by ChatGPT.
