"Material" is the word that decides whether a breach reaches investors through a mandatory SEC filing, and the SEC's cybersecurity rule defines it by reference, not by formula. In Release No. 33-11216, the Commission affirmed that the materiality standard a registrant applies in deciding whether an Item 1.05 8-K is triggered is consistent with the standard from the numerous securities-law cases on materiality — including TSC Industries, Inc. v. Northway, Inc., Basic, Inc. v. Levinson, and Matrixx Initiatives, Inc. v. Siracusano — and with Securities Act Rule 405 and Exchange Act Rule 12b-2. Information is material if a reasonable shareholder would consider it important; there is no separate, lower bar invented for cyber.

The Commission stated the test in the rule itself, and it is worth quoting because it is the sentence that governs every materiality call a public company makes about a breach.

"...information is material if “there is a substantial likelihood that a reasonable shareholder would consider it important”40 in making an investment decision, or if it would have “significantly altered the ‘total mix’ of information made available.”"— SEC Release No. 33-11216, source

Two features of that standard shape how it works in practice. First, it is qualitative. A company cannot resolve materiality by checking the incident against a revenue percentage; it must ask what a reasonable investor would weigh, which can include effects on operations, customer relationships, regulatory exposure, or reputation that are not captured by a single dollar figure. Second, the Commission instructed that doubts as to the critical nature of the relevant information should be resolved in favor of investors — a tilt that pushes close calls toward disclosure rather than away from it. The materiality determination is supposed to be made without unreasonable delay after the company discovers the incident, and it is that determination — not detection — that starts the four-business-day clock for the 8-K.

How real filers describe a material incident

The cleanest way to see the standard operate is to read filings that invoke it. When Halliburton Company filed under Item 1.05 in 2024, it described the event in the careful, scope-and-response language Item 1.05 calls for: "on August 21, 2024, Halliburton Company (the “Company”) became aware that an unauthorized third party gained access to certain of its systems. When it learned of the issue, the Company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors to assess and remediate the unauthorized activity." The filing notes the company proactively took certain systems offline and notified law enforcement, and that it continued to provide products and services to customers globally — the kind of nature, scope, timing, and impact narrative the rule asks for. The primary record is the company's own 8-K on sec.gov.

United Natural Foods, Inc. (UNFI) filed under Item 1.05 in June 2025 and shows the same pattern with a different operational fingerprint. The company disclosed that on June 5, 2025 it "became aware of unauthorized activity on certain information technology (IT) systems," that it "promptly activated its incident response plan and implemented containment measures, including proactively taking certain systems offline, which temporarily impacted the Company’s ability to fulfill and distribute customer orders." That operational impact — a distributor's ability to ship to retailers being temporarily degraded — is exactly the kind of effect a reasonable investor would weigh, which is why the incident reached the Item 1.05 threshold. The full filing is on sec.gov.

Both filings illustrate a feature of the standard that is easy to miss: materiality can rest on operational or qualitative effects, not just on a tallied dollar loss. UNFI's disclosure foregrounds disruption to order fulfillment and distribution; Halliburton's foregrounds unauthorized access to systems, an investigation with external advisors, and the proactive decision to take systems offline. Neither filing reduces materiality to a single number, because the SEC's standard does not. The rule also directs that the materiality determination be made without unreasonable delay after discovery, so the judgment is not only about whether an incident is material but about making that call promptly — the determination is what starts the four-business-day clock, and a registrant cannot defer it indefinitely to avoid the deadline.

It is worth separating two events that are easy to conflate. Discovery of unauthorized activity is one event; the determination that the activity constitutes a material incident is another. Both the Halliburton and UNFI filings reference an earlier 8-K — each company had already informed the market of an incident before, or alongside, the Item 1.05 disclosure. That sequencing is consistent with the rule's design, where a company can disclose an incident's existence early and then make and disclose its materiality determination as the investigation develops. Reading the materiality standard correctly means tracking that arc — discovery, determination, disclosure, and any later amendment — rather than treating a single filing as the whole record.

What materiality does not require

The standard also defines what a material-incident filing is not. It is not a forensic report. The rule asks for the material aspects of the incident's nature, scope, and timing and its impact or reasonably likely impact — not a disclosure of the specific technical means of the intrusion or details that would impede the company's response. Both the Halliburton and UNFI filings reflect that: each states what happened, what the company did, and what was affected, without publishing an attack playbook. Materiality also does not depend on a threat actor's claims; a ransomware group naming a victim is not a disclosure, and the company's own filing is the primary, time-stamped record of what it determined and when. For any question about whether a given incident is material, the controlling text is the rule's materiality standard, and the controlling evidence is the registrant's filing — read both, in that order.