Last updated 2 months ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.
- When Third-Party Breaches Trigger Disclosure Obligations
- Materiality: Subjective Standards for Supply Chain Breaches
- Early Filings Show Confusion
- SEC Enforcement Actions Set Standards
- National Security Delays and Reputational Risk
- Overlapping Regulatory Obligations
- SEC Guidance on Materiality Determinations
- Annual Disclosure Requirements for Cybersecurity Governance
- Unresolved Questions
- The Core Challenge: Modern Business Doesn’t Match the Rules
American executives faced an immediate problem: Does our company need to file a public disclosure with the SEC within four business days?
The Securities and Exchange Commission’s cybersecurity disclosure rules, adopted in July 2023, require public companies to report “material” cybersecurity incidents on Form 8-K within four business days of determining materiality. But the rules were written with a company’s own systems in mind—servers breached, networks compromised, databases stolen or copied. What happens when the breach occurs at a partner’s facility, in another country, involving your data but not your infrastructure?
When Third-Party Breaches Trigger Disclosure Obligations
Modern companies don’t operate in isolation. Their data lives everywhere—in cloud providers’ data centers, on contractors’ servers, inside vendors’ collaboration platforms. When one of those third parties gets hacked, the affected companies face a disclosure puzzle with real consequences.
The SEC’s definition of “cybersecurity incident” includes “when hackers access company data or systems without permission.” Notice what’s missing: any requirement that those systems belong to the company doing the disclosing.
The four-business-day clock doesn’t start ticking when the breach happens, or even when the victim discovers it. It starts when the company determines the incident is material.
If you don’t know you’ve been breached, can you be late filing a disclosure?
Materiality: Subjective Standards for Supply Chain Breaches
In securities law, information matters if a typical investor would care about it. For cybersecurity incidents, the SEC identified factors including financial impact, operational disruption, reputational harm, customer relationship damage, competitive disadvantage, and litigation risk.
Supply chain breaches make this murkier. Trust Wallet, a cryptocurrency platform owned by Binance, discovered in December 2025 that hackers had published a malicious version of its Chrome browser extension, stealing funds from wallet addresses.
If Trust Wallet were a U.S. public company (Binance doesn’t file with the SEC), which incident would trigger disclosure? The malicious extension publication? The customer fund theft?
The SEC hasn’t provided clear answers because these scenarios are new. The agency issued the cybersecurity rules in 2023, but only now—as major supply chain breaches hit aerospace contractors, fintech platforms, and healthcare systems—are firms discovering what the rules require in practice.
Early Filings Show Confusion
Most disclosed incidents involved breaches of the company’s own systems—ransomware attacks, network intrusions, database theft. Supply chain breaches remain rare in the disclosure record, not because they’re uncommon but because firms haven’t figured out when they trigger reporting obligations.
Some disclosed incidents they later clarified weren’t material. Others filed about cyber attacks while simultaneously stating they hadn’t determined the incident would have material impacts.
SEC Enforcement Actions Set Standards
In December 2024, the SEC settled charges against Flagstar Bancorp, imposing a penalty of $3.55 million for inadequate cybersecurity incident disclosure and weak systems for ensuring important information reaches decision-makers. Flagstar experienced a November 2021 incident that disrupted banking operations and resulted in theft of personal data from approximately 1.5 million customers. The initial disclosure minimized the incident and stated the bank had no evidence of unauthorized access to customer data.
The enforcement finding went beyond alleging misleading disclosure. The agency charged Flagstar with violating SEC rules requiring companies to have systems ensuring important information reaches decision-makers.
You need formal processes. Documented procedures. Clear responsibility assignments. Written documentation of why you decided the incident was or wasn’t material.
Supply chain breaches create additional requirements. Security teams discovering vendor incidents must have clear escalation paths to the team responsible for deciding what to tell investors. Forensic investigators assessing scope must communicate findings to legal counsel evaluating regulatory implications. Compliance teams must coordinate with investor relations personnel drafting disclosures. All of it needs documentation.
The SEC also settled charges in December 2024 against R.R. Donnelley & Sons Company, a printing and document management firm that experienced a 2021 Citrix Breach. The enforcement action found that RRD’s disclosure controls didn’t ensure all relevant information about security incidents reached disclosure decision-makers, and didn’t provide guidance on who was responsible for reporting such information to management.
National Security Delays and Reputational Risk
Defense and aerospace contractors face another complication: national security.
The SEC’s rule includes a provision allowing delayed disclosure if the U.S. Attorney General decides that disclosing immediately could harm national security or public safety.
Almost nobody uses it. The scarcity reflects both how strict the national security standard is and the reputational risk. Markets interpret disclosure delays as signaling particularly serious incidents, potentially amplifying negative reactions once disclosure finally occurs.
Contractors face an uncomfortable calculus: delay disclosure to satisfy national security authorities but potentially damage investor confidence, or disclose promptly to satisfy SEC timing requirements but potentially compromise national security assessments.
Overlapping Regulatory Obligations
SEC disclosure rules don’t exist in isolation. Defense contractors face simultaneous obligations under CMMC (Cybersecurity Maturity Model Certification), which establishes three levels of cybersecurity requirements for contractors handling government information that’s sensitive but not officially classified, with compliance becoming a contract requirement.
A supply chain breach revealing CMMC compliance failures could be material to investors concerned about the firm’s ability to maintain government contracts. But disclosing CMMC deficiencies must be coordinated with DoD notifications and remediation timelines.
Rules controlling who can access sensitive military technology information add another layer. Breach of military technology information controlled by the State Department (ITAR) requires notification to the State Department and can trigger criminal penalties. For a firm whose data was compromised involving ITAR-controlled documentation, it must simultaneously navigate SEC materiality determinations, ITAR compliance obligations, and potentially DoD notifications.
Then there are state data breach notification laws. States have them, with varying requirements. Many require notification to state attorneys general or regulatory agencies. For firms experiencing supply chain breaches affecting customer data, state law notification timelines may precede SEC disclosure timelines, requiring coordinated communication to investors, customers, and regulators.
Unlike the SEC’s four-business-day deadline, which starts when you determine materiality, some state laws start the clock when you discover the breach, whether or not you’ve assessed its significance.
SEC Guidance on Materiality Determinations
In May 2024, Erik Gerding, Director of the SEC’s Division of Corporation Finance, gave a speech clarifying the agency’s expectations. His core message: materiality determinations are inherently fact-specific. Firms must apply what a typical investor would care about, based on their own judgment, not follow predetermined thresholds or mechanical rules.
This applies with particular force to supply chain breaches, where the nature of compromised information, the identity of the breaching party, the firm’s role in the supply chain, and potential downstream consequences all influence materiality. A contractor whose proprietary engine design specifications were exposed would reach a different materiality determination than one whose administrative email addresses were compromised. A defense contractor subject to ITAR would assess differently than a commercial aerospace supplier.
Gerding clarified that the SEC form section for reporting cyber attacks should be reserved for incidents the firm determines are material, with immaterial or not-yet-determined incidents disclosed instead under a different section of SEC filings for less important events if disclosed at all.
Firms can’t simply declare incidents immaterial without analysis. The SEC expects documented consideration of relevant factors—financial impact, operational disruption, reputational harm, customer relationships, competitive position, litigation risk, regulatory exposure.
Supply chain breaches require firms to articulate whether and how the exposure threatens competitive position, government contracts, customer relationships, or financial performance. General statements about reputational concerns without grounding in concrete business consequences appear insufficient.
Annual Disclosure Requirements for Cybersecurity Governance
Beyond the four-business-day incident reporting, the SEC’s cybersecurity rule requires annual disclosure in the annual report section on cybersecurity practices regarding firms’ cybersecurity risk management, strategy, and governance. This requirement, effective for fiscal years ending on or after December 15, 2023, requires firms to describe their processes for assessing and managing material cybersecurity risks, board oversight of cybersecurity threats, and management’s role and expertise.
Supply chain scenarios create ongoing disclosure obligations about vendor security risk management. Firms must disclose whether and how they assess, identify, and manage material cybersecurity risks from third-party partners and vendors.
During the first compliance cycle, the SEC has already issued comment letters requesting firms explain their vendor security assessment processes, criteria for determining which vendors pose material cybersecurity risk, and how they monitor whether vendors maintain adequate controls.
The SEC’s annual disclosure requirement about cybersecurity practices has become a mechanism by which the SEC requires firms to demonstrate cybersecurity supply chain governance through concrete description of processes, risk thresholds, monitoring activities, and escalation procedures.
Companies need written procedures for checking whether their vendors are secure. Not for operational security alone, but for securities law compliance.
Unresolved Questions
Affected contractors are grappling with materiality determinations. Trust Wallet reimbursed affected users but faces questions about whether similar platforms need to disclose supply chain compromises of developer infrastructure. Healthcare systems compromised through vendor breaches are assessing their own disclosure obligations.
What should companies disclose about breaches at foreign companies that don’t file with the SEC? Will the standard for materiality differ when a U.S. firm can’t control the foreign entity’s disclosure practices and remediation timeline? How much detail about the foreign entity’s incident response must be included versus remaining focused purely on U.S. registrant impact?
If a firm’s data breach exposes product designs, development roadmaps, or customer lists compromised in a supply chain partner’s systems, how much must be disclosed to investors versus withheld as competitively sensitive? The SEC’s rule permits firms to withhold technical details about response and remediation plans, but does this extend to withholding detail about what information was compromised when such information is investor-material?
Should multiple vendor breaches be reported together or separately? If a firm experiences multiple supply chain incidents over a defined period—several vendors compromised, related attacks through the same vulnerability—when must these be aggregated into a single disclosure versus reported separately?
The broader regulatory environment suggests potential evolution. The SEC has indicated the cybersecurity disclosure rule may be updated through amended guidance or rules addressing emerging issues. Other countries are creating similar rules—the European Union’s cybersecurity reporting requirements impose incident reporting requirements on critical infrastructure operators with 24-hour notification timelines in some circumstances. When U.S. and international rules don’t match up, multinational firms face coordination challenges in disclosure timing and content across different regulatory regimes.
The Core Challenge: Modern Business Doesn’t Match the Rules
The SEC wrote these rules assuming companies would control their own systems and know their own security. But modern business doesn’t work that way. Firms operate through ecosystems of vendors, partners, cloud providers, and contractors. Data flows across organizational boundaries constantly. Security depends on multiple companies working together.
When a major supply chain partner gets breached, affected firms often learn about it weeks or months later, through third-party notification or what investigators discovered about the breach. They face immediate pressure to determine materiality with incomplete information, file within four business days, coordinate with multiple regulators, satisfy state notification laws, and communicate with customers—all while still investigating what happened.
The SEC’s enforcement record suggests the agency will continue policing the boundaries between material and immaterial supply chain disclosures, scrutinizing firms’ processes for determining materiality, and requiring increasingly detailed disclosure of incident characteristics and impacts.
Firms must develop formal, documented governance processes for escalating supply chain security incidents, explain what investigators found in terms investors would understand, and coordinate with boards, investors, regulators, and customers. Those that succeed will establish themselves as companies known for strong security practices. Those that stumble face SEC enforcement action, investor litigation, or reputational damage in capital markets concerned about cybersecurity governance competence.
Similar incidents will test these rules in real time. Firms affected by supply chain compromises will make disclosure decisions, file Form 8-Ks or choose not to, and face SEC scrutiny of those choices. Over time, through enforcement actions and comment letters, the boundaries of what companies must disclose about supply chain breaches will become clearer.
But right now, eighteen months into the new regime, firms are making consequential decisions with inadequate guidance. The four-business-day clock is ticking. And nobody’s quite sure when it started.
Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.