Skip to content
You can now search across every topic, entity and event.What's new
Securities and Exchange Commission
OrganisationUS

Securities and Exchange Commission

US federal regulator requiring public companies to disclose material risks: cyber incidents, AI-driven layoffs, financial results.

Last refreshed: 1 July 2026 · Appears in 3 active topics

Key Question

Does a credential-only attack with no malware trigger SEC disclosure rules?

Timeline for Securities and Exchange Commission

#1428 Jun

Received AeroVironment's restatement disclosure via Form 8-K.

Drones: Industry & Defence: AeroVironment books record and a caveat
#925 Jun

Mentioned in: Alabama bank files a live-breach 8-K

Cybersecurity: Threats and Defences
#1522 Jun

Required the Form 10-K disclosure in which Oracle named AI as a workforce factor

AI: Jobs, Power & Money: Oracle's 10-K names AI as a driver
View full timeline →
Common Questions
Did Stryker have to file an SEC report about the cyberattack?
Yes. Stryker filed an SEC Form 8-K/A on 10 April 2026 disclosing the Handala MDM wipe as a material cybersecurity incident under the SEC's December 2023 cyber-disclosure rules.Source: SEC / Stryker filing
What are the SEC rules on disclosing cyber attacks?
Under SEC rules adopted in December 2023, publicly listed US companies must disclose material cybersecurity incidents via Form 8-K within four business days. Materiality turns on whether a reasonable investor would consider The Information significant.Source: SEC
Is the SEC cutting cybersecurity enforcement under Trump?
The Trump FY27 budget proposes significant cuts to federal agencies; the SEC's own enforcement capacity under those proposals has not been separately quantified in this update.Source: Lowdown analysis

Background

The Securities and Exchange Commission is the US federal regulator responsible for enforcing securities law, protecting investors, and requiring publicly listed companies to disclose material information through mandatory filings such as the annual Form 10-K and the event-driven Form 8-K. Established in 1934 in the aftermath of the 1929 crash, its REMIT spans corporate disclosure, market oversight, and enforcement against fraud.

Stryker Corporation filed an SEC Form 8-K/A on 10 April 2026 disclosing the Handala MDM wipe as a material cybersecurity incident, stating that Q1 2026 earnings would be impacted while full-year guidance held. The filing is the first high-profile 8-K/A in which the attack vector was credential-only with no malware deployed, establishing a precedent for how the SEC's December 2023 cyber-disclosure rules apply to identity-plane attacks.

The SEC's cyber-incident disclosure rules, adopted in December 2023, require publicly listed companies to report material cybersecurity incidents via Form 8-K within four business days. Materiality is not defined by technical severity but by whether a reasonable investor would consider the incident significant. Stryker's 8-K/A is the reference case for an incident that meets materiality despite being credential-only and lacking any code execution or data encryption.

The SEC's enforcement posture on cyber disclosures has been tested most publicly by the SolarWinds case, where the Commission brought charges against the company and its CISO over alleged inadequate disclosure. Whether the agency's own budget under the Trump FY27 proposal leaves it with the capacity to pursue further enforcement actions remains an open question.

Oracle's FY26 Form 10-K, filed with the SEC on 22 June 2026, named AI adoption as a factor behind a 21,000-role cut (from 162,000 to 141,000 employees) and disclosed severance and exit costs rising from $374 million to $1.84 billion. The filing extends the SEC's disclosure regime, previously tested on cybersecurity incidents such as Stryker's, into AI-driven workforce restructuring: material headcount and cost changes attributed to AI adoption must now appear in the same mandatory filings as cyber incidents and financial results.

More questions
Does the SEC require companies to disclose AI use?
Not directly. The SEC's December 2023 cyber-disclosure rules require material cybersecurity incidents to be disclosed via Form 8-K within four business days. Separately, companies must disclose material risks in filings, which increasingly includes AI-related operational and reputational risks.Source: SEC
What is the SEC EDGAR database used for?
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) is the SEC's public filing system where US-listed companies file mandatory disclosures including annual reports (10-K), quarterly reports (10-Q), and material event reports (8-K and 8-K/A).Source: SEC
Did Oracle have to tell the SEC about its AI-related layoffs?
Yes. Oracle's FY26 Form 10-K, filed with the SEC on 22 June 2026, named AI adoption as a factor behind a 21,000-role workforce cut and a rise in severance costs from $374 million to $1.84 billion.Source: Oracle FY26 Form 10-K