DEV Community

Cover image for SEC Cyber Disclosure Rule 2025: First Filings
Pentest Testing Corp
Pentest Testing Corp

Posted on

SEC Cyber Disclosure Rule 2025: First Filings

#security #cybersecurity #vulnerabilities #disclosure

TL;DR (for devs & eng leaders)

  • Item 1.05 of Form 8-K: disclose material cyber incidents within four business days of the materiality determination (nature, scope, timing, and impact).
  • Item 1C of Form 10-K: disclose cyber risk management, strategy, and governance (how you run the program, who oversees it).
  • The first wave of filings spans ransomware, third-party/vendor compromises, and cloud/service outages.
  • Your engineering evidence (logging, diagrams, RTO/RPO, RCA notes) increasingly feeds investor-facing disclosures—treat it like code you ship.

SEC Cyber Disclosure Rule 2025: First Filings

Quick refresher: the rule (plain English)

  • What triggers an 8-K? A material cyber incident. As soon as the company decides it’s material, a four-business-day timer starts for an 8-K under Item 1.05.
  • What goes in 10-K? Your program: processes for identifying and managing cyber risk, how the board/management oversees it, and how incidents inform strategy.
  • Third-party incidents count. If a vendor or cloud partner causes material impact to you, it’s still your disclosure problem.

First wave patterns we’re seeing

  1. Ransomware with operational impact
  • Common signals of “material”: service downtime, transaction failures, customer safety/health impact, or outsized recovery cost.
  1. Vendor/third-party breaches
  • Password-stuffing or token theft against a SaaS, misconfigured cloud workspaces, or exposed data lakes. Expect shared forensics and contractual friction over timelines.
  1. Cloud/software outages
  • Critical agent or update gone wrong? Many issuers describe operational fallout and mitigations, sometimes under “Other Events” when not deemed material as a cybersecurity incident. Your call will hinge on impact and facts.

Why engineering leaders should care

  • Board-grade telemetry: Your logs, incident fields, severity math, and blast-radius estimates now travel upstream into investor disclosures.
  • Fewer “we’ll get back to you” moments: Legal, IR, and Security need defensible timelines and plain-language impact—that comes from engineering evidence, not recollection.
  • Discoverability: Disclosures are easy to search and compare; your program maturity will be read across peers.
  • Liability + reputation: Consistency between what you do (controls) and what you say (filings, site, marketing) matters.

Action items for 2025: playbooks, logs, war-gaming

1) Pre-wire the 8-K playbook

  • Materiality rubric: define impact thresholds (revenue at risk, SLA breaches, safety/regulatory exposure).
  • Timeboxes: T0 (first detection), T+N (materiality decision), T+4BD (8-K file).
  • Tracks: Forensics, Customer comms, Regulatory, Vendor, IR/Legal.
  • Delay lane: Prepare a DOJ delay request path in case national security/public safety criteria could apply (handled by counsel).

2) Make disclosure-ready logs (drop-in schema)

Developers can make filing-friendly events by logging what Legal/IR need without over-sharing secrets.

{
  "incident_id": "INC-2025-0912",
  "first_seen_utc": "2025-09-12T04:13:22Z",
  "detected_by": "siem_rule:risky_token_use",
  "vector": "stolen_credentials",
  "threat_type": "ransomware",
  "systems_impacted": ["payments-api", "orders-worker"],
  "data_types_at_risk": ["pii", "billing_metadata"],
  "scope_accounts": 342,
  "service_impact": "checkout timeouts, delayed order sync",
  "mitigations": ["isolation", "credential_rotation", "golden_image_redeploy"],
  "materiality_signals": ["sustained downtime", "regulatory_notification_threshold"],
  "financial_impact_usd_estimate": 0,
  "status": "containment_in_progress"
}
Enter fullscreen mode Exit fullscreen mode

Screenshot of our Free Website Vulnerability Scanner landing page.

Screenshot of the free tools webpage where you can access security assessment tools.Screenshot of the free tools webpage where you can access security assessment tools.

DEV tip: Keep public-safe summaries in a parallel field set (no secret IDS rule names or exploit PoCs), so you’re never copy-pasting sensitive breadcrumbs into external disclosures.

3) Cross-team war-gaming (90-minute tabletop)

  • Inject #1 (Vendor auth issue): Stolen OAuth token in your CRM causes data export. Decide: 1.05 vs 8.01? Draft the four required elements in 15 minutes.
  • Inject #2 (Update gone wrong): Agent update bricks Windows endpoints in two regions. Stakeholder map, rollback timer, customer comms, and filing language.
  • Inject #3 (Ransomware lateral movement): Elevation detected in backup network—choose isolation vs continuity; pre-draft 8-K bullets while IR handles customers.

4) Governance evidence for 10-K Item 1C

  • Map your program to three headers in your doc repo: Risk Management, Strategy, Oversight.
  • Keep a living registry: top risks, owners, mitigations, test cadence, metrics (MTTD/MTTR, control coverage, backup restore SLOs).
  • Use exec-readable diagrams (zero-trust segments, crown-jewel data flows) so the narrative stays accurate.

Sample report (redacted) with risk ranking to check Website Vulnerability.

Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.Sample vulnerability assessment report generated with our free tool, providing insights into possible vulnerabilities.

Quick wins with Pentest Testing Corp.

DEV add-ons (copy/paste friendly)

Minimal “public-safe” incident summary generator (Python) 

def public_safe_summary(incident):
    fields = [
        ("Nature", incident.get("threat_type")),
        ("Scope", f"{incident.get('scope_accounts',0)} accounts; systems: {', '.join(incident.get('systems_impacted',[]))}"),
        ("Timing", f"First seen {incident.get('first_seen_utc')} UTC"),
        ("Impact", incident.get("service_impact"))
    ]
    lines = [f"{k}: {v}" for k, v in fields if v]
    return " ; ".join(lines)

sample = {
  "threat_type":"ransomware",
  "scope_accounts":342,
  "systems_impacted":["payments-api","orders-worker"],
  "first_seen_utc":"2025-09-12T04:13:22Z",
  "service_impact":"checkout timeouts, delayed order sync"
}
print(public_safe_summary(sample))
Enter fullscreen mode Exit fullscreen mode

“Disclosure-ready” log field validator (JSON Schema) 

{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "DisclosureReadyIncident",
  "type": "object",
  "required": ["incident_id","first_seen_utc","systems_impacted","service_impact","status"],
  "properties": {
    "incident_id": {"type":"string"},
    "first_seen_utc": {"type":"string","format":"date-time"},
    "vector": {"type":"string"},
    "threat_type": {"type":"string"},
    "systems_impacted": {"type":"array","items":{"type":"string"}},
    "data_types_at_risk": {"type":"array","items":{"type":"string"}},
    "scope_accounts": {"type":"integer","minimum":0},
    "service_impact": {"type":"string"},
    "mitigations": {"type":"array","items":{"type":"string"}},
    "materiality_signals": {"type":"array","items":{"type":"string"}},
    "financial_impact_usd_estimate": {"type":"number","minimum":0},
    "status": {"type":"string", "enum": ["triage","containment_in_progress","eradication","recovery","lessons_learned"]}
  }
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)