Public companies now operate under a four-business-day deadline for disclosing material cyber incidents. At the same time, boards must demonstrate actual cyber risk management and governance-not just paper policies. This article details how the SEC's cybersecurity rules work, why identity failures are central to most reportable incidents, and how comprehensive identity governance protects both your environment and your disclosure obligations.

Executive Summary

On July 26, 2023, the SEC adopted new cybersecurity rules requiring public companies to disclose material cyber incidents on Form 8-K within four business days of determining materiality, and to describe cyber risk management and governance in their annual reports1sec.gov.

Most material cyber incidents begin with an identity failure: compromised credentials, orphaned accounts, or over-privileged access in SaaS systems beyond traditional IGA and SSO coverage. Identity governance has become a board-level control for complying with SEC disclosure requirements-both to minimize reportable incidents and to provide critical evidence when they occur.

What the SEC Cybersecurity Rules Actually Require

The SEC's rules are sometimes summarized as "4-day breach reporting," but in reality they are more nuanced-and directly connected to your identity and access management practices.

The core disclosure obligations

Under the final rules:

  • Incident disclosure (Form 8-K, Item 1.05)

    • Public companies must disclose a "material cybersecurity incident" on Form 8-K within four business days of determining the incident is material-not four days from discovery1sec.gov.
    • The disclosure must detail the nature, scope, timing, and material impact (or likely impact) of the incident.
    • If any information isn't available by the deadline, the initial 8-K is filed with what's known, and amended within four business days of new information becoming available2sec.gov.

  • Risk management, strategy, and governance (Regulation S-K Item 106)

    • Companies must describe their processes for identifying and managing material cybersecurity risks, how those risks have or are likely to materially affect the business, and how the board and management oversee cybersecurity3sec.gov.
    • These disclosures appear in Form 10-K (or Form 20-F for FPIs), starting with fiscal years ending on or after December 15, 2023.

Compliance timing and scope

The rules are now fully in effect:

  • For all registrants except smaller reporting companies, Item 1.05 reporting on Form 8-K became mandatory December 18, 20234wilmerhale.com.
  • Smaller reporting companies received an extra 180 days and began complying with Item 1.05 on June 15, 20244wilmerhale.com.
  • Item 106 risk-management and governance disclosures cover all domestic filers for fiscal years ending on or after December 15, 20233sec.gov.

By 2026, every SEC-registered public company will face a mature enforcement regime, not a grace period.

Why this is a board-level identity issue

Item 106 requires disclosure of:

  • The board's oversight of cybersecurity risk.
  • Management's role and expertise in evaluating and managing those risks.
  • Processes for identifying, assessing, and managing material cyber risks, including whether incidents have materially affected or are likely to affect the company3sec.gov.

This brings identity governance front and center: who has access, how you enforce least privilege, how quickly you revoke access, and whether you can prove it to regulators or investors.

Why Identity Failures Sit Behind Many SEC-Reportable Incidents

Most "headline" breaches begin not with novel exploits, but with the misuse of valid access.

The numbers: credentials and access are the primary entry points

Multiple analyses confirm:

  • In the past decade, 31% of breaches involved stolen credentials5cloudsecurityalliance.org.
  • Verizon's "basic web application attacks" pattern found 77% of breaches involved stolen credentials6aembit.io.
  • Recent data from the 2025 Verizon DBIR indicates stolen or compromised credentials were the initial vector in about 22% of breaches-more than any other single cause7deepstrike.io.

With growing SaaS usage, contractors, and machine identities, the reality is clear: identity governance is your breach surface.

How identity failures become 8-K events

The SEC's rules are technically agnostic, but commonly reported incidents follow familiar patterns:

  • Compromised user accounts in SaaS tools with broad customer or financial access.
  • Orphaned admin accounts left after employee departures.
  • Over-privileged access in systems lacking SCIM or modern governance.
  • Weak separation of duties (SoD) allowing a single identity to perform and approve critical actions.

When these failures cause material impacts-data theft, business disruption, regulatory scrutiny, or costly remediation-they cross the SEC's materiality threshold and trigger Item 1.05.

Recent enforcement shows the SEC is willing to charge companies for downplaying or mischaracterizing incidents in disclosures8sec.gov. Poor visibility into identity and access hampers accurate reporting on scope, impact, and remediation-exactly what's required under the rules.

The SEC Rules Raise the Bar on Identity Governance

The rule text never mandates "buy an IGA platform," but viewed through an identity lens, the implications are clear.

Item 1.05: The 4-day disclosure clock requires identity context

After an incident, you must quickly answer:

  • Which identities were involved (users, contractors, service accounts, AI agents)?
  • Which systems and data could those identities access at the time of the incident?
  • Which entitlements were abused (admin roles, repos, channels, projects)?
  • How far did the attacker move laterally?

If your identity data is split among:

  • SSO groups for 20% of applications,
  • ad-hoc scripts and tickets for the rest,
  • spreadsheets for quarterly reviews,

...then assembling a complete picture within four business days is nearly impossible while your IR team is still triaging.

Item 106: "Describe your processes" means actual, not theoretical, controls

Item 106 disclosures require you to explain processes for identifying and managing cyber risks, and how those risks have or are likely to affect your company3sec.gov.

For identity, this usually covers:

  • How you provision and deprovision access (joiners, movers, leavers).
  • How you enforce least privilege across critical systems.
  • How you conduct user access reviews and certifications.
  • How you monitor for and respond to unusual access.

By 2026, regulators, investors, and plaintiffs' attorneys will expect evidence:

  • Time-stamped records of provisioning and deprovisioning.
  • Audit trails for approvals and exceptions.
  • Comprehensive, cross-system records of entitlements at the time of any incident.

A modern identity governance platform should generate this data by default.

How Complete Identity Governance Protects Your Disclosure Obligations

Effective identity governance doesn't just lower cyber risk-it puts you in control when the SEC or your board demands answers.

Close the gaps left by SSO and legacy IGA

Most SSO and "modern IGA" tools automate only for SCIM-enabled apps-often just 20% of your stack. The remaining 80%, where engineers rely on tools like Notion, Slack, Figma, Linear, GitHub, and Jira, is managed manually.

Iden bridges this gap:

  • Iden connects to any app in your stack-SCIM, API, or neither-using universal connectors, without requiring enterprise plan upgrades.
  • The platform automates provisioning and governance for over 175 SaaS applications, with more added continually.
  • Grants fine-grained access to channels, repositories, projects, and environments-far beyond group-based controls.

From an SEC perspective, this means you can:

  • See, in one place, which identities have access to business-critical SaaS apps that handle customers, financials, or operations.
  • Scope an incident across your full stack-including long-tail tools often implicated in real-world breaches.

Automate least privilege and offboarding to prevent material incidents

Many identity-driven incidents stem from misconfigurations: excess privileges, stale accounts, and inconsistent offboarding. Iden minimizes human error:

  • Policy-driven birthright access by role, department, and location.
  • Just-in-time, time-limited elevated access to sensitive systems.
  • Zero-touch offboarding from HRIS or IDP triggers-revoking access across all connected apps, even those without SCIM or APIs.

For lean IT and security teams:

  • Customers see about 80% fewer manual access tickets within 60 days of adopting Iden.
  • Automated user access reviews and evidence collection save approximately 120 hours per quarter compared to spreadsheet-based reviews.

Less manual work means fewer errors, fewer orphaned accounts, and a reduced chance that the next material incident starts with a forgotten identity.

Move from "we think" to "here's the evidence" for boards and regulators

When an incident meets the SEC's materiality threshold, identity governance transforms your response:

  • Instead of "we believe the attacker accessed X systems", you provide precise records of which entitlements compromised accounts had at every step.
  • Instead of "we have offboarding procedures", you show automated records of account revocation triggered in minutes.
  • Instead of "we conduct quarterly access reviews", you present the full audit trail of campaigns, manager attestations, and remediation actions.

That is the distinction between documentation-based compliance (policies and manuals) and evidence-based compliance (ongoing, system-generated proof)-which aligns with SEC expectations and where regulation is headed for 2026.

Manual & SSO-Only vs Complete Identity Governance: An SEC-Focused Comparison

Capability / Question Manual + SSO-Only Stack Complete Identity Governance (with Iden)
Coverage across SaaS apps SSO covers SCIM apps; many critical tools are manual, ticket-based Universal coverage: SCIM, API, and non-API apps-no SCIM tax
Visibility into "who had what when" Fragmented across SSO, app admins, spreadsheets Single view of identities, entitlements, and history across the full stack
Incident scoping for Item 1.05 8-K Slow, manual correlation; often incomplete within 4 business days Queryable identity and access history to scope affected systems quickly
Evidence for Item 106 risk & governance disclosure Policies and docs; limited system-generated proof Automated logs, review records, and workflow histories as evidence
Offboarding reliability Checklists and tickets; high risk of orphaned accounts Zero-touch offboarding from HRIS/IDP across all apps
Access review effort Quarterly, manual: exports, spreadsheets, emails Automated campaigns with real-time evidence and remediation
IT & security team load High manual ticket volume; identity work blocks strategy ~80% fewer manual access tickets and 120+ hours/quarter freed

Action Plan for 2026: Making Identity Governance a Board-Level SEC Control

If you're an IT Director, CISO, or compliance lead at a public or pre-IPO company, here's how to turn SEC rules into a practical identity roadmap.

1. Map SEC requirements to identity controls

Tie specific requirements from Item 1.05 and Item 106 to identity capabilities:

  • Incident disclosure: What identity data is necessary to scope and accurately describe impacts within four business days?
  • Risk management: How are identity-related risks (e.g., orphaned accounts, SoD violations, over-privilege) identified and prioritized?
  • Governance: How do the board and management obtain visibility into identity risk and metrics?

This mapping shifts "compliance" from a legal exercise to specific, actionable identity capabilities.

2. Inventory your stack and spot the coverage gap

Assemble a current inventory of:

  • All SaaS and on-prem apps with customer, financial, operational, or safety impact.
  • Each app's provisioning and governance (SSO, SCIM, manual, scripts, ungoverned).
  • Contractor, partner, and non-human identities.

Most fast-growing companies find SSO and legacy IGA cover only the easy 20%. The risky 80%-often where SEC-relevant data resides-remains manual.

3. Prioritize high-impact identity controls

Focus on controls that both reduce risk and enable faster, easier disclosure:

  • Automated joiner/mover/leaver workflows for all apps.
  • Least-privilege and SoD controls for finance, trading, and production.
  • Time-bound elevated access for admins and engineers.
  • Automated user access reviews with clear remediation.
  • Centralized logging for all identity lifecycle events.

These controls support your Item 106 disclosures-invest here to also generate strong evidence.

4. Choose a platform for lean teams and SEC standards

For 50-2,000-employee organizations, the goal is achieving this without a large IAM team or multi-year project. That's the gap Iden fills:

  • Coverage across your entire stack, including apps without SCIM or APIs.
  • Fine-grained control beyond SSO groups to channels, repos, and projects.
  • Policy-driven workflows for provisioning, deprovisioning, reviews, and license recovery.
  • Fast deployment-ready in days, managed by your current IT/security staff.

The payoff: better security and a faster, clearer answer when your board or audit committee asks, "If a cyber incident happened tomorrow, could we fulfill SEC disclosure obligations confidently?"

Frequently Asked Questions

How fast must we disclose a cybersecurity incident under the SEC rules?

You must file a Form 8-K under Item 1.05 within four business days after determining a cybersecurity incident is material1sec.gov. The deadline starts at materiality determination, not detection. The SEC expects companies to determine materiality "without unreasonable delay." If some information is unavailable, disclose what you know and file an amendment within four business days of obtaining the update2sec.gov.

Does the SEC rule require an identity governance tool?

No. The rules are technology-neutral. They require rapid disclosure of material incidents and a clear description of your risk management and governance. In practice, strong identity governance is essential-since most incidents arise from credential misuse. Iden provides the visibility, control, and evidence necessary to support your disclosures across the stack.

What identity-related incidents are likely to be "material"?

Materiality is case-specific, but identity-driven incidents are more likely to be material when they involve:

  • Unauthorized access to substantial customer or financial data.
  • Disruption of critical operations (e.g., production, trading, healthcare).
  • Significant remediation or recovery costs.
  • Reasonable likelihood of regulatory, legal, or reputational consequences.

Given that most breaches originate from compromised credentials, strengthening identity governance-especially for high-impact SaaS and production systems-directly reduces the risk of triggering Item 1.05.

We're a smaller reporting company. Do these rules apply now?

Yes. Smaller reporting companies had delayed deadlines, but full compliance is now required. Since June 15, 2024, they must comply with Item 1.05 incident reporting, and with Item 106 risk-management and governance disclosures for fiscal years ending on or after December 15, 20239jdsupra.com. By 2026, regulators will expect these requirements to be fully operational.

How does identity governance help with 10-K cybersecurity risk disclosures beyond incidents?

Item 106 requires companies to describe how they identify and manage material cyber risks, and how the board and management oversee those risks. A complete identity governance platform allows you to:

  • Quantify and trend identity-related risks (e.g., orphaned accounts, over-privilege, SoD violations).
  • Demonstrate processes and metrics for managing those risks.
  • Provide the board with clear dashboards and identity posture reports.
  • Support every 10-K statement with system-generated evidence.

This improves your cybersecurity section from generic risks to a credible, defensible account of how identity is actually governed-meeting the rising expectations of the SEC, auditors, and investors.

Book a call