Your London-based fintech has just landed a US public listing. Your legal team flags a cybersecurity incident that hit your AWS London region overnight — ransomware encrypted 4,000 customer records, and your board needs to decide: is this SEC material within four business days? The answer will determine whether your share price holds or your general counsel faces SEC enforcement.
This is the reality for any non-US firm with securities registered under the Securities Exchange Act of 1934. The US Securities and Exchange Commission's cybersecurity disclosure rules, effective December 18, 2023, impose a four-business-day deadline for reporting material cybersecurity incidents on Form 8-K Item 1.05 for domestic issuers. But for UK and other foreign private issuers (FPIs), the reporting vehicle is SEC Form 6-K — with the same ticking clock.
If your organisation is UK-domiciled but cross-listed on the NYSE or Nasdaq, there is no grace period and no carve-out for British firms. The SEC's rule applies extraterritorially to any issuer whose securities trade on US exchanges. Get this wrong, and you face SEC enforcement, shareholder lawsuits, and reputational collapse that no ISO 27001 certification alone can salvage.
What Is Form 6-K and Why the 4-Day Rule Changes Everything
Form 6-K has historically been the catch-all reporting mechanism for foreign private issuers — a way to furnish the SEC with information that the issuer either (a) makes public in its home jurisdiction, (b) files with a foreign stock exchange, or (c) distributes to security holders. It is not a registration statement. It is a current report that must be furnished promptly.
The SEC's 2023 cybersecurity rulemaking amended the definition of "promptly" for incident reporting. Under the final rule (Release No. 33-11246), FPIs must furnish a report on Form 6-K within four business days of determining that a cybersecurity incident is material. This aligns with the Form 8-K deadline for domestic issuers under Item 1.05.
The effective date for compliance was December 18, 2023 for domestic issuers, but the SEC extended the compliance date for FPIs — completing Item 1.05 of Form 6-K became mandatory for foreign private issuers for incidents occurring on or after September 5, 2024. If you are a UK firm filing in US markets, you have been operating under this requirement for over a year. The grace period is over.
Who Exactly Must File — Know Your Classification
The SEC defines a foreign private issuer as any foreign issuer other than a foreign government, except an issuer that meets both of the following conditions on the last business day of its most recently completed second fiscal quarter:
- More than 50% of its outstanding voting securities are directly or indirectly held of record by US residents; and
- A majority of its executive officers or directors are US citizens or residents; or more than 50% of its assets are located in the US; or its business is administered principally in the US.
If these conditions do not apply to your UK company, you remain an FPI. This status allows you to use Form 6-K instead of the more onerous Form 8-K. However, the materiality standard — and the four-business-day clock — is identical. The SEC's rule does not distinguish between a London-based biotech and a Silicon Valley SaaS provider if both trade on the Nasdaq.
Pyralink's team has seen UK firms incorrectly classify themselves as "non-FPI" because they maintain a small US investor base. That assumption is dangerous. Consult your securities counsel before an incident occurs. The fractional vCISO service can bridge the gap between your technical incident response and your legal disclosure obligations.
The Materiality Determination — Where the Real Risk Lives
The four-day clock does not start at the moment of compromise. It starts when management determines that the incident is material. This sounds like a gift. It is not.
The SEC defines materiality using the Basic v. Levinson standard: information is material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision. The SEC's rule explicitly states that materiality determinations must be made "without unreasonable delay" after discovery. You cannot delay the determination to extend the reporting window.
This creates a triage nightmare for UK firms. Your London incident response team detects ransomware at 3:00 PM GMT on a Thursday. Your board meets at 9:00 AM Friday to discuss materiality. Friday ends. Monday is a UK bank holiday (for argument's sake — the May Day bank holiday, for example). Tuesday is business day 1. Wednesday is business day 2. Thursday is business day 3. Friday is business day 4. You file by 5:30 PM EST Friday, or you violate SEC rules.
The practical takeaway: start the materiality assessment within hours, not days. Designate a cross-functional team — legal (US securities counsel), IT security (your CISO or fractional vCISO), finance (CFO or controller), and communications. Pre-agree on escalation triggers. Document every step. The SEC will ask for your timing log during any investigation.
What Form 6-K Must Contain — Item by Item
The cybersecurity disclosure under Form 6-K mirrors Item 1.05 of Form 8-K. You must provide, to the extent known at the time of filing:
- When the incident was discovered and its status (ongoing, contained, remediated).
- The nature and scope of the incident — what systems were affected, what data was accessed or encrypted, and which business functions were disrupted.
- Whether any data was exfiltrated, altered, or accessed — be precise. "Customer PII including names, email addresses, and payment card data" is specific. "Unauthorised access" is not.
- The material impact on operations and financial condition — if you cannot yet quantify the impact, you must state that. You cannot simply omit it.
The SEC permits delaying disclosure if the US Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety. This is not a blanket delay tool. The SEC delayed reporting is specific, written, and rare. Do not assume your UK-headquartered firm qualifies.
One critical nuance: Form 6-K does not require the same granular exhibit filing as Form 8-K. You furnish the Form 6-K via EDGAR (not paper). The SEC's EDGAR Filer Manual requires FPIs to use the "6-K" submission type and check the box for "Cybersecurity Event" in the submission header. Fail to check that box, and your filing may not satisfy the disclosure requirement.
Common Mistakes UK Firms Make — and How to Avoid Them
Mistake 1: Treating Form 6-K as optional or secondary. Some UK issuers believe Form 6-K is a "furnishing" (not a "filing"), so disclosure can be sloppy. Wrong. The SEC's rule is clear: you must furnish the report within four business days. Failure to furnish is a violation of Section 13(a) of the Exchange Act and Rule 13a-16.
Mistake 2: Relying on UK GDPR breach notification timelines. The ICO requires notification within 72 hours under UK GDPR if the breach risks individuals' rights and freedoms. That timeline is shorter than the SEC's four-business-day window. But compliance with UK GDPR does not satisfy SEC requirements. You must file under both regimes. The SEC cares about investor impact, not just data protection.
Mistake 3: Waiting for the forensic report. If your incident response retainers allow 30 days for a full forensic investigation, you cannot wait. File on Form 6-K with what you know within four business days. Supplement later on Form 6-K/A (amendment). The SEC expects timely, incomplete disclosure over delayed, perfect disclosure.
Mistake 4: Assuming the four-day clock is calendar days. It is business days. But weekends and UK bank holidays still count as business days under the SEC's definition — a business day is any day except Saturday, Sunday, or a US federal holiday. If you file late because Monday was a UK bank holiday but a US trading day, the SEC will not excuse you.
A Worked Example: Ransomware at a London-Based FPI
Scenario: LondonBio Plc (ticker: LBP) is a UK-domiciled drug discovery company listed on the Nasdaq. It has 100 employees, all UK-based, and no US operations.
Day 1 (Tuesday, 14 January): At 10:00 AM GMT, the IT team detects ransomware on the clinical trial data server. The attackers claim to have exfiltrated patient genomic data. The CEO is notified by 11:00 AM.
Day 1 (Tuesday, 14 January — 2:00 PM GMT): The pre-designated materiality assessment team meets. Counsel (partner at a US law firm with SEC experience) confirms LondonBio is an FPI. The team determines materiality is probable given the nature of the data (patient genomic data has regulatory and competitive sensitivity). The clock starts.
Day 2 (Wednesday, 15 January — 10:00 AM GMT): The team drafts the Form 6-K. The legal team confirms the content: systems affected (clinical trial database, HR server), data exfiltrated (genomic sequences for 500 patients, employee records), operational impact (clinical trial enrollment paused), financial impact (cannot quantify yet — stated as such).
Day 3 (Thursday, 16 January — 2:00 PM GMT): The draft is submitted to the CFO and CEO for review. The communications team prepares an investor FAQ. The board is briefed via secure channel.
Day 4 (Friday, 17 January — 4:00 PM GMT / 11:00 AM EST): The Form 6-K is furnished on EDGAR. The "Cybersecurity Event" box is checked. The submission is complete. The team logs the filing timestamp and saves the EDGAR confirmation.
Outcome: LondonBio filed within four business days. It later supplements the filing when the forensic report arrives on Day 21. The SEC does not investigate. The share price drops 8% on the day of filing but recovers within two weeks. No enforcement action.
How Pyralink Helps UK Firms Navigate SEC Form 6-K Compliance
Pyralink Innovation Ltd — founded by Michael Adedeji (CISM, CISA, CC, MSc Data Science) — is a UK cybersecurity firm that bridges the gap between technical incident response and regulatory disclosure. We are not a law firm. We are the cybersecurity arm your legal team relies on when the clock is ticking.
Our CloudAuditX multi-cloud auditing platform (free trial available) maps your AWS, Azure, and GCP configurations against both UK and US regulatory frameworks. It flags misconfigurations that could escalate a minor breach into a material incident — and provides the audit trail the SEC expects.
Our fractional vCISO service (from £497/month) gives your board a dedicated cybersecurity leader who understands the intersection of UK GDPR notification obligations and SEC Form 6-K filing deadlines. We help you build the incident response plan that includes the materiality determination workflow — not just the technical containment steps.
We also provide ISO 27001 certification support, which directly strengthens your ability to demonstrate a structured approach to incident detection and response — evidence the SEC will weigh favourably during any investigation.
Pyralink holds £5 million professional indemnity insurance and has delivered compliance programmes for UK firms filing in US markets. We do not outsource our expertise.
Your next step is clear.
Run a free CloudAuditX scan → to identify gaps in your cloud security posture before an incident occurs.
Book a free security review → to discuss your SEC Form 6-K compliance plan with our team.