The SEC's cyber rules require an Item 1.05 8-K within four business days of determining an incident is material. This tool helps you make and document that materiality call.
What this tool does
You describe the incident's operational, financial, legal, and reputational impact; it structures a materiality assessment and flags the Item 1.05 timing.
Who it's for
CISOs, GCs, and CFOs who need a defensible, documented materiality determination when an incident hits.
How to use it — step by step
- Describe the incident. Systems affected, data involved, operational impact.
- Assess impact dimensions. Financial, operational, legal/regulatory, reputational — quantitative and qualitative.
- Read the materiality signal. Whether this looks material and the 1.05 four-business-day clock.
- Document the determination. When you decided and why — the clock runs from the determination.
How to read your result
Materiality includes qualitative factors, not just dollars. The key discipline is documenting when you determined materiality — that date starts the four-business-day clock.
Worked examples
The same tool behaves differently depending on what you put in. Here are 3 situations.
Ransomware, operations down
Inputs: Core systems offline for days.
What the tool shows: Points strongly to material — operational disruption plus likely financial and reputational impact.
What to do: Prepare the 1.05 disclosure; document your determination date.
Minor data exposure
Inputs: A small, contained leak, no ops impact.
What the tool shows: May be immaterial — but requires a documented qualitative assessment, not a shrug.
What to do: Document why you concluded it wasn't material.
Incident at a key vendor
Inputs: Third-party breach touching your data.
What the tool shows: Flags that third-party incidents can still be material to you.
What to do: Assess your exposure; don't assume a vendor breach is out of scope.
Common questions
What's the deadline? Within four business days of determining the incident is material — not of the incident itself.
Do immaterial incidents need an 8-K? No, but document the materiality assessment either way.
Does this replace counsel? No — cyber disclosure is high-stakes; verify with counsel.