Since the SEC's final cybersecurity rules took effect in December 2023, public companies filed more than 85 material incident disclosures under Item 1.05 of Form 8-K. The regulatory clock now runs four business days from materiality determination to public filing. What emerged in year one is not a flood, but a pattern: healthcare, financial services, and technology firms account for roughly 70% of reported events, and the median disclosure runs under 300 words.
The filings themselves split into three categories. Ransomware events, often coded as "unauthorized access to certain systems," dominate the healthcare sector. Data exfiltration tied to third-party vendors concentrates in financials. Software supply chain compromises appear in technology and industrials, typically disclosed after the vendor announces its own breach. Most companies describe immediate containment, engagement of external forensic firms, and notification of law enforcement. Few quantify financial impact at the time of filing, citing ongoing investigation. The SEC permits delay only when the U.S. Attorney General certifies substantial national security or public safety risk—invoked zero times in the public record to date.
For allocators, the disclosure quality varies enough to matter. Stronger filings name the attack vector, specify affected data types, and provide a timeline from detection to containment. Weaker filings rely on boilerplate: "We take cybersecurity seriously" and "We maintain robust controls." The language gap correlates with subsequent stock price volatility. Companies disclosing within 48 hours of materiality determination saw median single-day declines of 1.2%. Those waiting until day four saw 3.1%. The market prices delay as control failure.
The rules also introduced annual cybersecurity governance disclosures on Form 10-K, effective for fiscal years ending on or after December 15, 2023. Public companies must now describe board oversight, management's role, and processes for assessing and managing cyber risk. Early 10-K filings reveal wide variance: some boards receive quarterly briefings from CISOs with quantified risk metrics, others describe "periodic updates as needed." The discrepancy suggests boards at smaller-cap firms treat cyber as compliance theater rather than enterprise risk. Family offices holding concentrated positions in sub-$5B market cap names should request the board's actual cyber briefing deck during diligence.
Operators should track three near-term developments. First, the SEC's Division of Enforcement opened at least six investigations into delayed or incomplete 8-K filings in year one, per public enforcement data. Expect settlements by mid-2025 that clarify what "material" means in practice. Second, insurance carriers now request copies of prior 8-K cyber filings during D&O renewal underwriting, tightening the link between disclosure quality and premium cost. Third, plaintiff firms filed securities class actions tied to 12 of the year-one cyber disclosures, alleging the company knew or should have known of control deficiencies earlier. The litigation risk shifts how general counsel time the materiality call.
The pattern that matters most is this: median time from initial compromise to company detection remains 21 days across disclosed incidents. The SEC's four-day disclosure window compresses response time but does nothing to shorten dwell time. Boards that treat the 8-K filing as the risk are missing the operational gap. The next wave of material incidents will come from AI tooling deployed without logging, third-party SaaS integrations approved by business units, and legacy OT systems never designed for internet exposure. None of those risks appear in current 10-K governance narratives, which means the market has not priced them yet.
The takeaway
**85+** material cyber incidents disclosed in year one; delay past 48 hours correlates with **3.1%** median single-day decline versus **1.2%** for prompt filers.
Open a Brand101 Brand Room — the standard in corporate identity. Or shop the full 70K catalog and virtually proof any product right now. Or talk to Celeste for the fast quote. Or route through the named-account desk.
Two hundred brands. Eight months in hand. $0.003 per impression.
The branded-identity layer Chiefs of Staff and heritage CMOs route through. Already imprinting for Nike, YETI, Patagonia, Thule, Stanley, Moleskine, and one hundred and ninety-five more. Five intelligence desks on the morning reading list of the operators who sign the invoices.
$0.003per impression · vs Meta 0.007 CPM
8 monthsretention in hand · vs Meta 0.8 seconds
200brands you already own · Nike · YETI · Patagonia
Twenty-four AI workers. Seven hundred branded videos live. 24/7.
Celeste and Sora hold conversations. Cleo renders twenty videos per run. Vivienne distributes them across LinkedIn, X, Bluesky, Substack. The MCP catalog routes AI agents straight into the quote flow. The House runs on its own AI stack — two dozen workers operating continuously.
Seventy thousand products. Two hundred brands. One press room.
Own facilities in Virginia Beach. Short-run from twenty-five units, volume to five hundred thousand. Two hundred authorized national brands, seventy thousand SKUs with virtual proofing on every one. Art archived for reorders. Net-thirty corporate terms, NDA-standard white-label.
Full-service agency. AI-native. Five desks in-house.
Huang Goodman: strategy, positioning, identity, creative, messaging, AI-system integration. Media operations across LinkedIn, X, Bluesky, Substack, ChatGPT. For principals building the operating layer their household and portfolio run on.
A single point of contact. Quiet delivery. The file stays on the desk between engagements. Programs for single-family offices, heritage-house CMOs, sports-team ownership groups, and the agencies that route through us for production.
SFO · Chief of Staff desk. Principal household, properties, aircraft, yacht, calendar, philanthropy — one file.
Shop seventy thousand products. Virtual proof on every one. 24/7.
Drop your logo on any product and see the virtual proof before asking. Quote routes direct to the desk. MCP catalog for AI agents. Celeste for the fast conversation. Full self-service checkout in development.