As we approach 2026, public companies face unprecedented cybersecurity disclosure obligations and heightened SEC enforcement—here’s what you need to know

Executive Summary

The SEC’s cybersecurity disclosure rules, which became effective in December 2023, have fundamentally transformed how public companies approach incident reporting and governance oversight. As we enter 2026, a year of enforcement actions, regulatory guidance, and the creation of a new enforcement unit reveal a clear message: cybersecurity disclosure is no longer optional, and material incidents demand timely, accurate, and comprehensive reporting.

Between December 2023 and early 2025, 54 companies filed 80 Form 8-K disclosures related to cybersecurity incidents—26 under the material incident provision (Item 1.05) and the remainder under voluntary disclosure items. The SEC has settled multiple enforcement actions totaling over $8 million in penalties, launched the Cyber and Emerging Technologies Unit (CETU) in February 2025, and issued detailed guidance clarifying when and how companies must disclose cyber incidents.

For boards of directors, the stakes have never been higher. Derivative lawsuits, D&O liability claims, and enhanced fiduciary duty obligations surrounding cybersecurity oversight are creating a new risk landscape that extends far beyond traditional IT concerns.

The Rules: What Changed and When

Material Incident Disclosure (Form 8-K Item 1.05)

The core requirement mandates that public companies disclose material cybersecurity incidents within four business days of determining materiality. Companies must describe:

  • The material aspects of the incident’s nature, scope, and timing- The material impact or reasonably likely material impact on the company- Effects on financial condition and results of operations

Effective dates:

  • Large accelerated filers and accelerated filers: December 18, 2023- Smaller reporting companies: June 15, 2024

Annual Governance Disclosures (Form 10-K)

Beginning with fiscal years ending on or after December 15, 2023, companies must disclose in their annual reports:

  • Processes for assessing, identifying, and managing material cybersecurity risks- Whether cybersecurity risks have materially affected or are reasonably likely to affect the company- Management’s role in assessing and managing cybersecurity threats- Board oversight of cybersecurity risks, including:Which board committee oversees cybersecurity- Processes for informing the board about cybersecurity threats- Board members’ cybersecurity expertise

The National Security Exception

Companies can request a delay from the Attorney General if immediate disclosure poses a substantial risk to national security or public safety. AT&T became the first and only known company to publicly use this provision, delaying its July 2024 disclosure by 84 days after receiving DOJ approval.

The Evolution of Enforcement: Real-World Cases

The SolarWinds Litigation: Setting Boundaries

The SEC’s October 2023 enforcement action against SolarWinds Corp. and CISO Timothy Brown marked several firsts:

  • First fraud claims related to cybersecurity disclosures- First charges against a CISO in a cybersecurity case- First attempt to expand internal accounting controls to cybersecurity systems

However, in July 2024, U.S. District Judge Paul Engelmayer dismissed most of the SEC’s claims, dealing a significant blow to the agency’s aggressive interpretation of internal controls. The court rejected the SEC’s novel theory that cybersecurity deficiencies violated Exchange Act Section 13(b)(2)(B)‘s internal accounting controls provisions.

Key ruling: The court found that using hindsight to second-guess cybersecurity statements and attempting to expand accounting controls to encompass all cybersecurity measures exceeded the SEC’s authority.

By July 2025, the SEC reached a preliminary settlement with SolarWinds and Brown, with final terms pending commissioner approval. Despite the setback, the SEC has signaled it remains committed to pursuing disclosure-related fraud cases.

The SolarWinds Victims: Downstream Enforcement

Undeterred by the court’s ruling in SolarWinds, the SEC in October 2024 charged four companies that were themselves victims of the SolarWinds Orion compromise:

Unisys Corporation - $4 million penalty

  • Alleged misleading disclosures minimizing the scope of data accessed- Additional charges for disclosure controls violations

Avaya Holdings Corp. - $1 million penalty

  • Used generic, hypothetical language about cybersecurity risks despite knowing the warned-of risks had materialized

Check Point Software Technologies - $995,000 penalty

  • Disclosed incident in “half-truths” that understated the extent of threat actor access

Mimecast Limited - $990,000 penalty

  • Allegedly downplayed the significance of compromised credentials

SEC enforcement message: Companies cannot “further victimize their shareholders” by providing misleading disclosures about incidents they’ve encountered—even when they are victims themselves.

Intercontinental Exchange: The $10 Million Wake-Up Call

ICE, parent company of the NYSE, agreed in May 2024 to pay $10 million to settle allegations related to cybersecurity incident notification failures, demonstrating that even market infrastructure companies are not immune from enforcement.

R.R. Donnelley: Internal Controls Matter

In July 2024, business communications provider RRD settled for $2.1 million related to a 2021 cyberattack. The SEC alleged:

  • Inadequate resources allocated to monitoring security alerts- Failure to instruct third-party monitoring service on proper escalation procedures- Deficient disclosure controls and internal controls

Critical insight: The SEC expects companies to maintain cybersecurity procedures that escalate aggregated security alerts—not just confirmed incidents—to management and disclosure personnel.

Flagstar Bank: Timing Is Everything

In December 2024, the SEC settled with Flagstar Bank for filing a misleading Form 8-K. On January 25, 2021, Flagstar disclosed a cybersecurity incident under Item 8.01, stating it had “no evidence of unauthorized access to customer information.” However, the company had learned one day earlier that attackers exfiltrated sensitive customer data including names, addresses, social security numbers, and account information.

Flagstar amended its Form 8-K 15 days later—but the damage was done. The SEC found the company violated Section 13(a) of the Exchange Act and Rule 13a-11 by filing an inaccurate current report.

The Cyber and Emerging Technologies Unit (CETU): February 2025

On February 20, 2025, the SEC announced the creation of CETU, replacing the Crypto Assets and Cyber Unit. Led by Laura D’Allaird, the approximately 30-member unit represents a strategic shift in enforcement priorities under the second Trump administration.

CETU’s Seven Priority Areas:

  1. Fraud using emerging technologies (AI and machine learning)2. Social media, dark web, and fake website fraud3. Hacking to obtain material nonpublic information4. Retail brokerage account takeovers5. Crypto asset and blockchain fraud6. Fraudulent cybersecurity disclosures by public issuers7. Regulated entity compliance with cybersecurity rules (broker-dealers, investment advisers)

Strategic shift: CETU signals a move away from non-fraud technical violations toward fraud-focused enforcement that directly harms retail investors. Acting Chairman Mark Uyeda emphasized the unit would “facilitate capital formation and market efficiency by clearing the way for innovation to grow.”

What This Means for Issuers

CETU’s focus on “fraudulent disclosures” rather than technical violations suggests companies face less risk from good-faith disclosure errors. However, the bar for intentional misstatements, material omissions, or misleading incident characterizations has been set emphatically high.

Real-World Filing Examples: Learning from the First Year

High-Profile Material Disclosures (Item 1.05)

UnitedHealth Group / Change Healthcare (February 2024)

UnitedHealth’s disclosure of a nation-state attack on Change Healthcare systems became one of the most significant incident disclosures of 2024. The company:

  • Filed under Item 1.05 on February 21, 2024- Disclosed a suspected nation-state threat actor gained access to Change Healthcare IT systems- Proactively isolated impacted systems to contain the breach- Filed multiple amendments as the scope and impact evolved- Initially stated it could not estimate the duration or extent of disruption

Critical lesson: UnitedHealth’s disclosures were criticized for distributing key information across multiple platforms rather than providing a centralized, comprehensive account—undermining the goal of transparent disclosure.

AT&T Inc. (July 2024)

AT&T’s disclosure revealed hackers accessed phone and SMS records for nearly all AT&T customers, including personal, business, and government accounts. The company:

  • Filed 84 days after detection using the national security exception- Received DOJ approval for the delay due to substantial national security risks- Stated at filing it had “not yet determined” whether material impact would occur- Received SEC comment letter requesting expanded disclosure on material impacts

Microsoft (January-March 2024)

Microsoft detected a Russian state-sponsored actor (Midnight Blizzard/Nobelium) had compromised corporate email systems beginning in November 2023. The company:

  • Filed under Item 1.05 detailing the nation-state intrusion- Provided iterative updates through amendments- Disclosed exfiltration of emails and documents- Stated incident did not have material consequences at time of filing

Prudential Financial (February 2024)

Prudential’s initial disclosure stated a cybercrime group accessed company data but the material impact was unknown. The company later amended its filing to disclose that information on more than 2.5 million people potentially had been leaked.

Krispy Kreme (December 2024)

Krispy Kreme provided one of the most financially quantified disclosures, reporting:

  • 280 revenue basis points lost- $10 million impact on Adjusted EBITDA- $0.04 impact on Adjusted EPS

However, the company failed to amend its original Form 8-K to reflect these updates, missing an opportunity to formally update investors through the intended disclosure mechanism.

Voluntary Disclosures (Item 8.01)

Following the SEC’s May 2024 guidance clarifying that Item 1.05 should be reserved for material incidents, companies increasingly filed under Item 8.01 for incidents where materiality had not been determined.

CDK Global outage (June 2024): Multiple auto retailers (Lithia Motors, Group 1 Automotive, AutoNation) filed Item 8.01 updates disclosing operational disruption from their vendor’s compromise while assessing whether the impact would be material to their operations.

Filing Statistics: The First Year

From December 18, 2023, through January 19, 2025:

  • 55 total cybersecurity incidents reported by 54 companies- 80 total Form 8-K filings (including amendments and updates)- 26 filings under Item 1.05 (material incidents)- 34 filings under Item 8.01 (voluntary or non-material disclosures)- ~33% filed amendments or updates to initial disclosures

Common incident types disclosed:

  • Operational technology attacks: 55% (30 incidents)- Ransomware: 18% (10 incidents) - though most didn’t explicitly use the term “ransomware”- Nation-state attacks: Several high-profile cases- Third-party vendor compromises: Significant percentage

Material impact disclosures:

  • Only ~14% (11 filings covering 9 incidents) stated the incident was material- 4 filings cited materiality to business operations- 7 filings cited materiality to quarterly financial results- Notably, no amended Form 8-K ultimately confirmed actual material impact—most concluded impact was immaterial or reasonably unlikely

SEC Staff Guidance: Reading Between the Lines

The Gerding Statement (May 21, 2024)

Erik Gerding, Director of the SEC’s Division of Corporation Finance, issued crucial guidance after observing companies filing under Item 1.05 for incidents they determined were immaterial or for which materiality had not been determined.

Key clarifications:

  1. Reserve Item 1.05 for material incidents only. While not expressly prohibited, voluntary filings of immaterial incidents under Item 1.05 create investor confusion.2. Use Item 8.01 for voluntary disclosure. Companies wanting to disclose incidents before materiality determination should use other Form 8-K items.3. Materiality must consider qualitative and quantitative factors. Don’t limit analysis to financial condition and results of operations. Consider:
  • Reputational harm- Customer and vendor relationships- Competitive positioning- Litigation and regulatory investigation risks4. File Item 1.05 within four days of subsequent materiality determination. If you initially disclosed under Item 8.01 and later determine materiality, file under Item 1.05 within four business days.

Impact: Following this guidance, Item 8.01 filings increased from 6 before May 2024 to 28 after May 2024, while Item 1.05 filings decreased from 17 to 9 over the same period.

Ransomware C&DIs (June 24, 2024)

The SEC staff issued five C&DIs addressing materiality determinations for ransomware incidents:

Key principle: Ransomware payment size alone does not determine materiality. Companies must consider:

  • Whether insurance reimburses the payment- Future availability and cost of cybersecurity insurance- Operational disruptions beyond the payment- Reputational and competitive harm- Customer and vendor relationship impacts

Even if a ransomware payment is reimbursed or the attacker ceases activity after payment, companies must still report material incidents within four business days of materiality determination.

Comment Letter Sweep (May-July 2024)

The SEC conducted a systematic review of Item 1.05 filings, issuing 14 comment letters focused on:

  1. Why companies filed under Item 1.05 if incidents were not material or materiality had not been determined2. Expanding disclosure beyond financial metrics to include:
  • Vendor relationship impacts- Reputational harm from stolen data- Customer impacts- Operational disruptions- Future implications

Example: V.F. Corporation

The SEC’s January 5, 2024 comment letter to V.F. Corp. (the first under the new rules) requested the company expand disclosure to:

  • Describe the scope of business operations impacted- Describe known material impacts and likely continuing impacts- Consider all material impacts (vendor relationships, reputational harm, unfulfilled orders)

V.F. Corp. filed an amendment on January 18, 2024, but notably did not identify additional material impacts.

The Board’s Role: Cybersecurity Oversight in 2026

Enhanced Fiduciary Duties

Boards of directors now face explicit oversight obligations that go beyond traditional Caremark duties. Courts and regulators increasingly view cybersecurity as a “mission critical legal risk” requiring active, documented board engagement.

Key obligations include:

  1. Establishing and overseeing cybersecurity risk management processes2. Ensuring adequate resources for threat detection and response3. Regular reporting cadence from management on vulnerabilities and incidents4. Documenting oversight activities to demonstrate good faith efforts5. Assessing third-party vendor risks6. Conducting tabletop exercises and incident simulations

Analysis of Fortune 100 company disclosures reveals:

  • 72% disclose cybersecurity as an area of expertise sought on the board (up from 19% in 2018)- 71% include cybersecurity in at least one director biography- 84% identify at least one management role providing cybersecurity insights to the board (up from 42% in 2022)- 95% include language about frequency of management reporting to the board- 70% specifically mention the CISO in their disclosures (up from 28% in 2022)- ~48% engage in simulations and tabletop exercises- Audit committees remain the most common oversight body for cybersecurity

Concerning gap: Only 10% of Fortune 100 boards disclose engaging external advisors for cybersecurity assistance, despite 87% using independent advisors for other governance matters.

Derivative Litigation Risk

While Delaware courts have dismissed most Caremark-based cybersecurity oversight claims (including for Marriott and SolarWinds), derivative lawsuits continue to be filed after major breaches.

Failed derivative claims teach important lessons:

In dismissing the SolarWinds derivative case, the Delaware Chancery Court found plaintiffs failed to establish:

  1. The board consciously disregarded red flags2. A total failure to implement any reporting system3. A sustained pattern of deliberate indifference

However, NYU Professor Jennifer Arlen argues derivative plaintiffs would have better success if they alleged “corporate trauma from the confluence of”:

  • Materially misleading statements about cybersecurity- Apparent cybersecurity deficiencies- The actual cyber-hack and resulting harm

For companies where cybersecurity is “mission critical” (e.g., SolarWinds selling security software), enhanced Caremark duties may apply, requiring boards to:

  • Mandate management reporting on whether public statements are materially misleading- Seek outside counsel opinions on disclosure accuracy- Actively monitor the gap between public representations and actual security posture

D&O Insurance Implications

Cyber incidents increasingly trigger D&O exposure through:

Securities class actions alleging misleading disclosures about cybersecurity practices or incident severity

Derivative suits claiming breach of fiduciary duty for failure to oversee cybersecurity risks

Regulatory enforcement actions that may name individual officers (as with SolarWinds CISO Timothy Brown)

Coverage considerations:

  • Most D&O policies contain cyber exclusions for direct losses from cyber incidents- However, securities claims alleging disclosure failures remain covered- Coordinated D&O and cyber insurance programs can provide optimal protection- Some insurers offer coordinated retention credits across both policies

Notable settlements:

  • Yahoo directors and officers paid $29 million in a breach of fiduciary duty derivative settlement- SolarWinds shareholders reached a $26 million securities class action settlement- Target, Wyndham, and Home Depot faced similar derivative actions following breaches

Best Practices for Board Oversight

1. Designate clear oversight responsibility

  • Assign to a standing committee (typically Audit or Risk) with explicit charter authority- Prepare advance plans for creating ad hoc incident response committees- Define escalation triggers for full board engagement

2. Establish regular reporting cadence

  • Quarterly (minimum) cybersecurity briefings from CISO/CIO- Annual comprehensive risk assessment presentations- Immediate notification protocols for significant incidents- Integration with enterprise risk management framework

3. Document oversight activities meticulously

  • Meeting minutes should reflect questions asked, information reviewed, and decisions made- Maintain records of incident simulations and tabletop exercises- Document board education and training on cyber threats- Preserve privileged records of disclosure materiality determinations

4. Assess qualitative and quantitative factors

Don’t limit materiality analysis to financial metrics. Consider:

  • Customer and vendor relationship risks- Reputational harm and brand damage- Competitive positioning impacts- Regulatory investigation likelihood- Litigation exposure- Insurance availability and pricing- Third-party dependencies

5. Develop disclosure-ready incident response

  • Create “8-K-aware” incident playbooks with materiality worksheets- Track timeline of detection, assessment, and disclosure decisions- Build centralized logging that can rapidly answer: what, when, how big, impact- Define pre-agreed thresholds tied to legal-approved escalation trees- Practice with tabletop exercises that include disclosure counsel

6. Review D&O and cyber insurance coverage

  • Ensure adequate coverage for individuals in key cybersecurity roles- Assess whether coverage is sufficient for regulatory penalties and derivative suits- Consider coordinated D&O/cyber programs with shared retention credits- Review tower structure and excess capacity

7. Evaluate third-party risk management

  • Implement comprehensive vendor due diligence for critical service providers- Include cybersecurity requirements in contracts with compliance clauses- Conduct regular audits of high-risk vendors- Develop contingency plans for vendor compromises- Remember: Your disclosure obligations may be triggered by vendor incidents

Lessons Learned: What Works and What Doesn’t

Don’t: The Mistakes Companies Have Made

1. Filing under Item 1.05 when materiality is unclear

Early filers erred on the side of caution, filing under Item 1.05 even when stating the incident had no material impact. This created investor confusion and invited SEC comment letters.

2. Using generic, boilerplate language

Several enforcement targets used hypothetical “could occur” language about cybersecurity risks even after those exact risks had materialized.

3. Minimizing or downplaying incident severity

The SolarWinds victim cases demonstrate the SEC will pursue companies that use “half-truths” or minimize data exfiltration, credential compromise, or operational impact.

4. Distributing information across multiple platforms

UnitedHealth faced criticism for spreading key details across 8-Ks, press releases, and investor calls rather than providing comprehensive disclosure in a single, central filing.

5. Failing to update as facts develop

Krispy Kreme quantified financial impacts in a 10-K but never amended its original Form 8-K, missing an opportunity to formally update investors.

6. Inadequate disclosure controls

RRD’s settlement highlights that companies need robust processes to escalate security alerts—not just confirmed incidents—to disclosure personnel.

7. Premature “no material impact” statements

Filing within four days often means limited information is available. Companies that affirmatively state “no material impact” early may be forced to amend if the situation evolves.

Do: Best Practices Emerging from Year One

1. Reserve Item 1.05 for truly material incidents

Use Item 8.01 for early voluntary disclosure when materiality has not been determined. This allows transparency while avoiding the suggestion of material impact.

2. Provide iterative, progressive disclosure

Microsoft’s approach of filing initial disclosure and then providing substantive amendments as information becomes available demonstrates good practice—as long as initial filing meets minimum requirements.

3. Quantify impact when possible

While rare, Krispy Kreme’s specific quantification of financial impact provides useful investor information and demonstrates thoughtful analysis.

4. Be specific about affected systems and data

Later filings increasingly included details about which systems were impacted and whether sensitive personal information was involved—providing more meaningful disclosure.

5. Consider the national security exception thoughtfully

AT&T’s use of the DOJ delay provision shows this tool is available for truly sensitive situations, but the bar is high and transparency about using the exception is expected.

6. Maintain privileged documentation

Create contemporaneous, privileged records of materiality determinations (similar to SAB 99 memos for financial errors) to demonstrate reasoned analysis and assist with auditor and SEC inquiries.

7. Disclose qualitative impacts beyond financial metrics

Address reputational harm, customer impacts, vendor relationships, and operational disruptions—not just whether quarterly earnings will be affected.

Looking Ahead: What to Expect in 2026 and Beyond

Regulatory Outlook

Continued but refined enforcement. CETU’s formation signals a move toward fraud-focused actions rather than technical disclosure violations. Companies that make good-faith disclosure efforts will face less risk, but intentional misstatements will draw aggressive prosecution.

Potential guidance on aggregation. The SEC has not yet provided detailed guidance on when a “series of related” incidents collectively become material. Expect clarification as patterns emerge.

Integration with international regimes. The EU’s DORA, NIS2, and UK Cyber Security and Resilience Bill create overlapping disclosure obligations. Companies with international operations should harmonize approaches.

Heightened scrutiny of AI disclosures. CETU’s priority list explicitly includes AI fraud and “AI washing”—making false claims about AI capabilities. Cybersecurity controls around AI systems will draw attention.

Practical Predictions

More Item 8.01 voluntary disclosures. Companies will continue following the May 2024 guidance, with Item 8.01 becoming the standard for early, pre-materiality disclosure.

Fewer amendments finding actual material impact. The pattern from year one suggests most incidents do not ultimately result in confirmed material impact, though companies disclose early out of caution.

Increased board cyber expertise. The trend toward adding cyber-fluent directors will accelerate, driven by both investor expectations and liability concerns.

Convergence with privacy laws. State privacy breach notification laws, FTC requirements, and SEC disclosure obligations will increasingly be managed through integrated processes.

Growing role of cyber insurance. As more companies face disclosure obligations, cyber insurance underwriting will increasingly focus on disclosure controls and board oversight practices.

Conclusion: A Compliance Framework for 2026

As public companies navigate 2026, the cybersecurity disclosure landscape requires:

1. Proactive governance. Boards must move beyond passive oversight to active engagement with cybersecurity as a core business risk. Document everything.

2. Disclosure-ready operations. Build incident response processes that assume eventual public disclosure. Maintain logs, timelines, and impact assessments that can support rapid, accurate 8-K filings.

3. Conservative materiality analysis. Use the full matrix of qualitative and quantitative factors. When in doubt about Item 1.05 vs. 8.01, choose 8.01 and reassess as facts develop.

4. Honest, complete disclosure. The enforcement actions uniformly targeted companies that minimized, downplayed, or used misleading characterizations. Transparency is not just required—it’s protective.

5. Integration across functions. Cybersecurity disclosure is not an IT issue, a legal issue, or a board issue. It requires seamless coordination among technology, security, legal, finance, investor relations, and governance teams.

6. Continuous improvement. Learn from other companies’ 8-K filings, SEC comment letters, and enforcement actions. The expectations are still evolving, and adaptive organizations will fare better.

The message from the first year of enforcement is unequivocal: cybersecurity incidents are inevitable, but disclosure failures are inexcusable. Companies that treat Item 1.05 as a compliance obligation rather than an investor communication tool do so at their peril. Those that embrace transparency, document thoughtful analysis, and maintain active board engagement will be best positioned to navigate the scrutiny that inevitably follows a material cybersecurity incident.

Additional Resources

SEC Resources:

  • Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Release Nos. 33-11216; 34-97989)- Erik Gerding Statement on Cybersecurity Incident Disclosure (May 21, 2024)- Compliance & Disclosure Interpretations on Cybersecurity- SEC.gov/corpfin for updated guidance

Form 8-K Filings:

  • UnitedHealth: SEC File No. 001-10864- AT&T: SEC File No. 001-08610- Microsoft: SEC File No. 000-14278- Prudential: SEC File No. 001-16707

Enforcement Actions:

  • In the Matter of SolarWinds Corp. and Timothy G. Brown (2023-2025)- In the Matter of Unisys Corporation (October 2024)- In the Matter of R.R. Donnelley & Sons Company (July 2024)- In the Matter of Flagstar Bank (December 2024)

Further Reading:

  • EY Americas Center for Board Matters: “Cybersecurity Oversight Disclosures: What Companies Shared in 2024”- Harvard Law School Forum on Corporate Governance: Caremark claims in cybersecurity context- NACD: Board oversight of cybersecurity resources

This article reflects developments through November 2025. For the latest updates, visit ComplianceHub.wiki or consult with experienced securities and cybersecurity counsel.

About ComplianceHub.wiki: Your trusted source for practical compliance guidance in an evolving regulatory landscape. Part of the CISO Marketplace ecosystem, delivering actionable insights for security and compliance professionals.