How-to guide

How to use the Cyber Incident Materiality Test

A breach happened — is it material, and does it trigger an 8-K? This helps you decide. Here's how, with three scenarios.

The SEC's cyber rules require an Item 1.05 8-K within four business days of determining an incident is material. This tool helps you make and document that materiality call.

What this tool does

You describe the incident's operational, financial, legal, and reputational impact; it structures a materiality assessment and flags the Item 1.05 timing.

Who it's for

CISOs, GCs, and CFOs who need a defensible, documented materiality determination when an incident hits.

How to use it — step by step

  1. Describe the incident. Systems affected, data involved, operational impact.
  2. Assess impact dimensions. Financial, operational, legal/regulatory, reputational — quantitative and qualitative.
  3. Read the materiality signal. Whether this looks material and the 1.05 four-business-day clock.
  4. Document the determination. When you decided and why — the clock runs from the determination.

How to read your result

Materiality includes qualitative factors, not just dollars. The key discipline is documenting when you determined materiality — that date starts the four-business-day clock.

Worked examples

The same tool behaves differently depending on what you put in. Here are 3 situations.

Ransomware, operations down

Inputs: Core systems offline for days.

What the tool shows: Points strongly to material — operational disruption plus likely financial and reputational impact.

What to do: Prepare the 1.05 disclosure; document your determination date.

Minor data exposure

Inputs: A small, contained leak, no ops impact.

What the tool shows: May be immaterial — but requires a documented qualitative assessment, not a shrug.

What to do: Document why you concluded it wasn't material.

Incident at a key vendor

Inputs: Third-party breach touching your data.

What the tool shows: Flags that third-party incidents can still be material to you.

What to do: Assess your exposure; don't assume a vendor breach is out of scope.

Common questions

What's the deadline? Within four business days of determining the incident is material — not of the incident itself.

Do immaterial incidents need an 8-K? No, but document the materiality assessment either way.

Does this replace counsel? No — cyber disclosure is high-stakes; verify with counsel.

Verify with a professional — this is not advice. This tool is a structured starting point, not legal, accounting, or audit advice, and Unfolding Values is not your auditor. It can't see facts you don't enter. Confirm every conclusion with your auditor and SEC counsel before you act or file.