A Form 8-K is the current report a public company files with the U.S. Securities and Exchange Commission to disclose specified major events between its scheduled quarterly and annual reports. Where the 10-K is annual and the 10-Q is quarterly, the 8-K is event-driven: it exists to put material developments in front of investors quickly rather than waiting for the next periodic report. Each disclosable event is filed under a numbered Item, and Item 1.05 is the line reserved for a material cybersecurity incident.

The SEC adopted Item 1.05 in its July 2023 cybersecurity disclosure rules. The Form 8-K instructions state the trigger and the substance the registrant must provide.

"If the registrant experiences a cybersecurity incident that is determined by the registrant to be material, describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations."— SEC, Form 8-K (Item 1.05 Material Cybersecurity Incidents), source

Two features of the Item are precise. First, the obligation attaches to a determination of materiality, not to the date of the incident itself: the Form's general instruction directs that a report under Item 1.05 is to be filed within four business days after the registrant determines that it has experienced a material cybersecurity incident. Second, the Item permits a delay where the United States Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission in writing. The companion rule, Item 106 of Regulation S-K (17 CFR 229.106), defines a cybersecurity incident as an unauthorized occurrence on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of those systems or any information residing in them.

How Item 1.05 reads in a real filing

The June 2025 wave of 8-Ks shows the Item in use. United Natural Foods, Inc. (NYSE: UNFI) filed a Form 8-K dated June 2025 disclosing under Item 1.05 that it had identified unauthorized activity on certain information technology systems and had begun taking systems offline. The filing describes the nature of the event and the steps taken in the language the Item calls for, and it sits alongside the issuer's other current reports in EDGAR. Because the Item turns on the registrant's own materiality determination, a single intrusion can produce a first 8-K describing the incident and later amendments as the company learns more about scope and impact.

Item 1.05 also draws a boundary the rule text is careful about. The SEC's adopting release distinguished disclosure of an incident's material impact from disclosure of technical detail that could impede a company's response or remediation; the Item asks for the material aspects of nature, scope, and timing and the material impact, not a forensic playbook. That is why many Item 1.05 reports are short and refer to ongoing investigation rather than reciting system architecture.

Reading an 8-K beyond Item 1.05

The same form carries the rest of the company's event disclosures under their own Items: Item 1.01 for entry into a material definitive agreement, Item 2.02 for results of operations and financial condition, Item 5.02 for departures or appointments of directors and officers, and Item 7.01 for Regulation FD disclosure. The Form 8-K instructions note that information furnished under Item 2.02 or Item 7.01 is not deemed filed for purposes of Section 18 of the Exchange Act unless the registrant specifically states otherwise, a distinction that affects liability exposure for that information. For a reader, the Item number on the cover of an 8-K is the fastest signal of what the company is disclosing, and Item 1.05 is the one that signals a cybersecurity event the company has determined to be material.

It helps to place Item 1.05 inside the architecture of the Form 8-K. The form's General Instruction B.1 sets the default deadline for most Items at four business days after the triggering event, and the cybersecurity Item adopts the same four-day rhythm — but keys it to the materiality determination rather than to the intrusion. The SEC drew that line deliberately in its adopting release: a company is not required to disclose the moment it detects suspicious activity, but rather once it has determined, without unreasonable delay, that an incident is material. The clock starts at the judgment, not the alarm. That design lets a company investigate before it speaks, while still committing it to a short, fixed window once the materiality call is made.

The national-security delay provision is the narrow exception to that schedule. Under it, if the Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the Commission in writing, the filing may be delayed for a specified period. The provision is the only general carve-out from the four-day rule, and it is structured to be invoked sparingly and by the government rather than at the company's discretion. Outside that channel, a determination of materiality starts the clock.

Item 1.05 also lives next to a related annual obligation. The same 2023 rulemaking added Item 106 of Regulation S-K, which requires companies to describe in their 10-K their processes for assessing, identifying, and managing material risks from cybersecurity threats, and the board's oversight of those risks. So the framework pairs an event-driven 8-K trigger with a standing annual-report disclosure: Item 1.05 reports the incident, and Item 106 reports the governance and risk-management context around such incidents. A reader following a cybersecurity event at a public company therefore has two primary documents to consult — the Item 1.05 8-K for the event itself and the Item 106 portion of the 10-K for how the company says it manages the risk.

The primary source for all of this is the Form 8-K itself and the SEC's cybersecurity disclosure rules, both published on sec.gov. An individual company's 8-K is retrievable through EDGAR by the issuer's CIK and the filing's accession number, which together pin every claim to a dated, public document.