OrganisationUS

Securities and Exchange Commission

US federal regulator requiring listed companies to disclose material cybersecurity incidents within four business days.

Last refreshed: 17 April 2026 · Appears in 1 active topic

Key Question

Does a credential-only attack with no malware trigger SEC disclosure rules?

Timeline for Securities and Exchange Commission

#117 Apr

Received Stryker 8-K/A material cybersecurity incident disclosure

Cybersecurity: Threats and Defences: Stryker SEC filing marks cyber milestone

View full timeline →

Follow Cybersecurity: Threats and Defences →

Common Questions

Did Stryker have to file an SEC report about the cyberattack?: Yes. Stryker filed an SEC Form 8-K/A on 10 April 2026 disclosing the Handala MDM wipe as a material cybersecurity incident under the SEC's December 2023 cyber-disclosure rules.Source: SEC / Stryker filing
What are the SEC rules on disclosing cyber attacks?: Under SEC rules adopted in December 2023, publicly listed US companies must disclose material cybersecurity incidents via Form 8-K within four business days. Materiality turns on whether a reasonable investor would consider the information significant.Source: SEC
Is the SEC cutting cybersecurity enforcement under Trump?: The Trump FY27 budget proposes significant cuts to federal agencies; the SEC's own enforcement capacity under those proposals has not been separately quantified in this update.Source: Lowdown analysis

Background

Stryker Corporation filed an SEC Form 8-K/A on 10 April 2026 disclosing the Handala MDM wipe as a material cybersecurity incident, stating that Q1 2026 earnings would be impacted while full-year guidance held. The filing is the first high-profile 8-K/A in which the attack vector was credential-only with no malware deployed, establishing a precedent for how the SEC's December 2023 cyber-disclosure rules apply to identity-plane attacks.

The SEC's cyber-incident disclosure rules, adopted in December 2023, require publicly listed companies to report material cybersecurity incidents via Form 8-K within four business days. Materiality is not defined by technical severity but by whether a reasonable investor would consider the incident significant. Stryker's 8-K/A is the reference case for an incident that meets materiality despite being credential-only and lacking any code execution or data encryption.

The SEC's enforcement posture on cyber disclosures has been tested most publicly by the SolarWinds case, where the Commission brought charges against the company and its CISO over alleged inadequate disclosure. Whether the agency's own budget under the Trump FY27 proposal leaves it with the capacity to pursue further enforcement actions remains an open question.

How the World Sees Them

Cyber lawyers

The credential-only Stryker disclosure expands materiality doctrine into a new attack category. Boards need to rehearse the 4-day escalation path for MDM-level incidents.

EU regulators

The SEC's 4-day window contrasts with the UK's proposed 24-hour initial report under the Cyber Security and Resilience Bill; European policy circles track SEC precedents closely.

US public companies

The Stryker 8-K/A sets the template: an identity-plane attack with material operational impact is a disclosable event even with no malware and no data encryption.