The lede: Since December 2023, SEC Item 1.05 has forced U.S. public companies to disclose material cybersecurity incidents on Form 8-K within four business days of determining materiality — not four days after discovering an intrusion, four days after deciding it matters financially or operationally. That distinction quietly moved the incident-response buying decision out of the SOC and into the general counsel's office. A materiality call is a legal judgment that needs a defensible timeline, chain-of-custody forensics, and board-ready documentation an auditor and a plaintiffs' attorney will both accept. Detection tools that just say "we stopped it" don't produce that artifact. Vendors that can hand GC a court-ready incident narrative do. That's a budget line moving from IT security spend to legal/compliance spend, and it favors a specific kind of company.
Who cashes in: