Since the SEC adopted its cybersecurity disclosure rules in 2023, the CFO and the CISO have been bound to the same problem whether or not they have met to discuss it. Two distinct obligations now sit on top of cyber risk. The first is annual and descriptive: Regulation S-K Item 106, surfaced as Item 1C in the Form 10-K, requires a registrant to describe its processes for assessing, identifying, and managing material risks from cybersecurity threats, plus the board's oversight and management's role. The second is event-driven: Form 8-K Item 1.05 requires disclosure of a cybersecurity incident the registrant has determined to be material. Both pivot on the same word, and that word is a financial term of art, not an engineering one.
Item 1C is often underestimated because it asks you to describe rather than certify. But description has teeth. The rule wants to know how you decide what is material, who reviews it, how often, and how the board exercises oversight. A program that produces inconsistent, ad hoc, or purely narrative judgments about cyber risk reads very differently in a 10-K than one that runs a repeatable, documented process. The annual disclosure is, in effect, a public account of your risk-management machinery. If that machinery cannot articulate how a given risk would translate into financial consequence, the disclosure tends to default to generic language that says little and protects less.
The 8-K obligation is where timing pressure concentrates. Once a registrant determines that an incident is material, it generally has four business days to file, describing the incident's nature, scope, and timing and its material impact or reasonably likely material impact on financial condition and results of operations. Critically, the four-day clock does not start at discovery; it starts at the materiality determination, which the rule requires be made without unreasonable delay after discovery. That structure means the determination itself is the load-bearing decision. Move too slowly and you risk an unreasonable-delay finding; move without a defensible basis and you expose the judgment to second-guessing with the benefit of hindsight.
So what does material mean here? The SEC did not invent a cyber-specific threshold; it imported the long-standing securities-law standard from TSC Industries v. Northway and Basic v. Levinson. Information is material if there is a substantial likelihood that a reasonable investor would consider it important to an investment decision, or that it would significantly alter the total mix of information available. There is no statutory dollar line, no fixed percentage of revenue, no bright-line trigger. Materiality is a judgment about how a reasonable investor would weigh the information, and under guidance like SAB 99 it is explicitly both quantitative and qualitative. A small dollar figure can still be material for qualitative reasons, and a large one is not automatically dispositive.
This is precisely why qualitative-only language is fragile under the standard. Words like significant, serious, or limited are unanchored: they do not tell a reader, a regulator, or a court what magnitude was contemplated or how the conclusion was reached. The same adjective gets applied inconsistently across incidents and across the people making the call, which undermines the comparability the disclosure regime is built on. And because materiality is assessed against the total mix, a narrative that never quantifies the potential impact gives the determination no measurable reference point. When an incident is later litigated or examined, the absence of a basis is itself a vulnerability, regardless of whether the ultimate call was right.
A dollar quantification helps because it puts the determination on the same axis the standard actually uses. Investors weigh information against revenue, earnings, cash flow, liquidity, and the company's own guidance. A potential loss expressed as a range, against that financial backdrop, lets the decision-maker reason about whether it could significantly alter the total mix. It also creates consistency: the same method applied to two incidents produces comparable outputs, so the materiality line is drawn the same way each time rather than re-argued from adjectives. None of this makes the call mechanical, but it gives the human judgment something concrete to weigh.
The method behind the number is what separates a defensible estimate from a guess wearing a dollar sign. A single point estimate invites false precision and is easy to attack. A FAIR-aligned approach run through Monte Carlo simulation, expressing the outcome as a distribution with P10, base, and P90 bands, communicates honestly that the future is uncertain while still bounding it. Equally important is keeping the method, the confidence level, and the source of each input visible, so a reviewer can see what assumptions drove the range and where the soft spots are. There is also a meaningful distinction the rule itself draws between realized impact and reasonably likely material impact, which is forward-looking, and a probabilistic method is far better suited to the latter than a single recovered-cost tally.
Here is the honest boundary, and it is not a disclaimer to skim past. Quantification does not make the materiality determination. Counsel, the disclosure committee, and ultimately the board or audit committee make it, weighing legal standards, qualitative factors, and context that no model captures. A quantified loss range is an input to that judgment, not a substitute for it. Nothing produced by a quantification engine is legal advice, an audit opinion, or an investment recommendation, and a number should never be presented to the board as a guarantee of outcome. What the quantification does is give the deciders a structured, documented basis to reason from and to record.
That documented basis is the quiet value most teams underweight. Whatever the determination, the SEC, the plaintiffs' bar, and your own auditors will eventually ask how it was reached. A contemporaneous record that shows the estimated financial exposure, the method used, the confidence attached, and the data it drew on is a fundamentally stronger artifact than a memo asserting an incident was or was not significant. It demonstrates the determination was made on a reasoned basis at the time, which is the posture you want if the call is ever revisited with hindsight. A number with no method behind it is arguably worse than no number at all, because it invites the question your file cannot answer.
There is a useful loop back to Item 1C here. The annual disclosure asks you to describe your process for assessing and managing material cyber risk. A repeatable quantification capability is itself evidence that such a process exists and operates, rather than being reconstructed under deadline pressure during an incident. The same engine that supports an 8-K determination can substantiate the 10-K narrative that you assess these risks in financial terms and escalate them through defined governance. The incident-time and annual obligations are not separate disciplines; they are two outputs of one risk-quantification practice.
Several pitfalls deserve naming because they recur. Over-precision, where a model spits out a figure to the dollar and people start treating the false specificity as truth, is the most common; ranges and confidence bands are the antidote. Anchoring on the first number presented, double-counting overlapping loss categories, and conflating an estimate with a forecast are close behind. Scope is its own trap: related incidents may need to be assessed in the aggregate rather than dismissed individually, and forward-looking impact statements carry their own liability considerations that counsel, not the model, must manage. A quantification tool should make these tensions visible, not paper over them.
This is where Valty is designed to sit, and it is worth being precise about the role and the stage. Valty reads from the tools you already run, scanners, GRC systems, cloud, and identity, and translates control state into dollar-denominated risk using FAIR-aligned Monte Carlo, producing P10, base, and P90 ranges with the method, confidence, and source attached to every figure. The output is a board-ready proof pack the CFO, CISO, and counsel can reason over, explicitly framed as a decision-support estimate rather than an actuarial, legal, or investment guarantee. Valty is early-stage and works with design partners; it does not make your materiality determination and does not replace your counsel. What it offers is a defensible, repeatable way to put a method-stamped number in front of the people who do make that call, which under this disclosure regime is a materially better position than reaching for another adjective.