SEC 2023 cyber-disclosure rule
SEC rule requiring listed companies to disclose material cyber incidents within four business days, effective December 2023.
Last refreshed: 20 May 2026
Is the four-day SEC materiality clock now shorter in practice than the UK's proposed 24-hour notification?
Timeline for SEC 2023 cyber-disclosure rule
Mentioned in: West Pharma SEC 8-K on ransomware halt
Cybersecurity: Threats and Defences- What does the SEC 2023 cybersecurity rule require?
- Listed companies must file a Form 8-K within four business days of determining a cyber incident is material, and include annual cybersecurity risk and governance disclosures in Form 10-K. The rule has been in effect since December 2023.Source: SEC
- How did West Pharmaceutical Services trigger the SEC cyber disclosure rule?
- West Pharma filed a Form 8-K on 7 May 2026, three business days after detecting a cyberattack that encrypted systems globally and halted operations. The board determined the disruption was material to investors before any ransomware group claimed responsibility.Source: SEC EDGAR
- Can a company be required to disclose a cyberattack even if they have not identified the attackers?
- Yes. Under the SEC 2023 rule, materiality is determined by impact on the company, not by attribution. West Pharma and Stryker both filed 8-Ks with no group attribution at filing.
- How does the SEC cyber disclosure rule compare to the UK Cyber Security and Resilience Bill?
- The SEC rule requires a four-business-day filing window once materiality is determined, focused on investor disclosure. The UK CS&R Bill proposes 24-hour initial notification to regulators, focused on Incident Response. They serve different purposes with different timelines and addressees.
Background
The SEC 2023 cybersecurity disclosure rule, adopted by the Securities and Exchange Commission in July 2023 and effective from December 2023, added Item 1.05 to Form 8-K, requiring all NYSE- and Nasdaq-listed companies to disclose material cybersecurity incidents within four business days of determining the incident is material. The rule also introduced an annual disclosure requirement (Form 10-K Item 1C) for material risks and governance processes around cybersecurity. The four-day materiality clock starts from the internal determination of materiality, not from incident discovery or public disclosure by a threat actor.
The rule was tested in rapid succession in 2026. West Pharmaceutical Services filed a Form 8-K on 7 May 2026, three business days after detecting a cybersecurity incident on 4 May that encrypted systems globally and halted manufacturing and shipping operations. Stryker filed an 8-K/A (amended) in April 2026 for its Handala-related incident. Both filings were made before any ransomware group had claimed responsibility, establishing that the SEC materiality threshold is met by operational disruption severe enough to move the quarter, regardless of public extortion activity or attribution. That is a significant interpretation: prior market practice assumed a ransom claim or public leak was necessary to trigger material-event treatment.
The SEC's 2023 rule is now running in parallel with the UK's Cyber Security and Resilience Bill (at Commons Report Stage from 2 March 2026) and the EU's NIS2 Directive (in force since October 2024), creating a three-jurisdiction disclosure framework. US-listed companies with UK or EU operations face overlapping but non-identical notification timelines and materiality standards, and the West Pharma filing is the clearest current example of the SEC clock moving fastest.