The mandatory iXBRL tagging requirement for Form 8-K Item 1.05 disclosures began December 18, 2024. For calendar-year companies, Q2 2026 is therefore the fifth quarterly period subject to the cybersecurity iXBRL tagging requirement in Form 10-Q. It is not a new requirement. But it is one where consistent errors persist, where the SEC's Cyber and Emerging Technologies Unit has signalled a shift from comment letters toward enforcement, and where filing teams using generic XBRL workflows rather than the specific Cybersecurity Disclosure (CYD) taxonomy are still producing deficient filings.
This post covers exactly what the cybersecurity iXBRL requirement applies to in the Q2 10-Q, what the CYD taxonomy is and where to find it, what block text versus detail tagging means in practice, what the most common errors are, and how the 8-K interaction works.
What Are the SEC's Mandatory Cybersecurity iXBRL Tagging Requirements?
The SEC's cybersecurity disclosure rules were adopted July 26, 2023, under Release No. 33-11216. The rules created two types of cybersecurity disclosure obligations: a current reporting obligation (material incident disclosure on Form 8-K Item 1.05, or Form 6-K for FPIs) and a periodic reporting obligation (risk management, strategy, and governance disclosure on annual Form 10-K Item 1C under Regulation S-K Item 106).
Both disclosure types carry iXBRL tagging requirements, with a one-year delay from the initial disclosure compliance date:
For Form 8-K Item 1.05 and Form 6-K: iXBRL tagging became mandatory beginning December 18, 2024. Any Form 8-K Item 1.05 cybersecurity incident disclosure filed on or after that date must be tagged using the CYD taxonomy in Inline XBRL format.
For Regulation S-K Item 106 in Form 10-K (Item 1C) and comparable Form 20-F Item 16K: iXBRL tagging became mandatory beginning with annual reports for fiscal years ending on or after December 15, 2024. For calendar-year companies, the first Form 10-K with mandatory cybersecurity iXBRL tagging was the December 31, 2024 annual report filed in early 2025.
The quarterly Form 10-Q does not contain Item 106 disclosures. What it contains is the Part II cybersecurity disclosure for any material cybersecurity incidents that must be disclosed but that were not previously reported on Form 8-K Item 1.05. Per Regulation S-K and the SEC's adopting release, the 10-Q Part II disclosure for cybersecurity incidents uses the same tagging requirements as the corresponding Form 8-K Item 1.05 disclosure.
Canadian issuers filing on Form 40-F are exempt from these iXBRL requirements.
The KPMG analysis of the cybersecurity rules confirms the timeline: iXBRL compliance begins one year after the initial compliance date for any issuer for the related disclosure requirement. The Winston and Strawn analysis confirms the specific December 18, 2024 trigger for Form 8-K Item 1.05.
What Is the Cybersecurity Disclosure Taxonomy and Where Do You Find It?
The Cybersecurity Disclosure taxonomy, known as the CYD taxonomy, is the XBRL taxonomy created by the SEC specifically for tagging cybersecurity disclosures. It is not part of the standard US GAAP taxonomy (UGT). It is a separate taxonomy that must be used alongside the UGT when tagging cybersecurity disclosures.
The XBRL.org analysis confirms: the CYD taxonomy allows companies to tag disclosures related to cybersecurity risk management, strategy, governance, and incident reporting in iXBRL, aligning with the SEC's adopted rules. The taxonomy is designed to provide structured, comparable cybersecurity data across filings.
The CYD 2024 taxonomy is available through the SEC's EDGAR filing system and has been incorporated into the combination taxonomies used by the major XBRL and EDGAR filing platforms. The Workiva support documentation confirms that for filers using the US GAAP 2024 or IFRS 2024 taxonomy packages, the CYD 2024 taxonomy has been automatically included within those combination taxonomies. Filing teams using Workiva, Donnelley Financial Solutions, or other major EDGAR filing platforms should confirm with their platform provider that the CYD taxonomy is loaded in their filing environment and that it is the current version.
The taxonomy can also be accessed directly from the SEC's EDGAR taxonomy repository at https://xbrl.fasb.org/. The CYD taxonomy elements are distinct from the US GAAP taxonomy elements and must be used for cybersecurity-specific disclosures rather than substituting generic US GAAP elements.
Finding the specific taxonomy elements to use requires navigating the CYD taxonomy element list. The taxonomy includes elements covering incident occurrence, incident materiality determination, risk management process description, governance and board oversight description, and the boolean indicator for whether a cybersecurity risk materially affected or is reasonably likely to materially affect the registrant.
What Is Block Text Tagging vs Detail Tagging and Which Does Your 10-Q Require?
This is the most common point of confusion in cybersecurity iXBRL compliance, and it is the distinction the SEC staff has flagged in deficiency notices.
Block text tagging applies to narrative or qualitative disclosures. A block text tag wraps a section of text, treating the entire text block as the value of a single XBRL element. For cybersecurity disclosures, the narrative descriptions of the incident's nature, scope, and timing, and the description of the material impact or reasonably likely material impact, are block-text-tagged using the corresponding CYD taxonomy elements.
Detail tagging applies to quantitative amounts. A detail tag wraps a specific number or date value and attributes it to a specific XBRL element. For cybersecurity disclosures, detail tagging applies where the disclosure contains specific quantitative information such as the date the incident was discovered, the date the Form 8-K was filed, and any specific financial amounts referenced in the disclosure.
Gibson Dunn confirms both are required: all Item 106 disclosures must be tagged in Inline XBRL using block text tagging for narrative disclosures and detail tagging for quantitative amounts.
For the Q2 10-Q Part II cybersecurity disclosure specifically, the practical tagging requirements are:
The text describing the nature, scope, and timing of any material cybersecurity incident disclosed in Part II requires block text tagging using the appropriate CYD incident narrative elements.
The text describing the material impact or reasonably likely material impact of the incident requires block text tagging using the CYD impact description element.
Any specific dates or financial amounts in the disclosure require detail tagging using the corresponding CYD date or amount elements.
The boolean indicator for whether a cybersecurity risk materially affected or is reasonably likely to materially affect the registrant requires detail tagging as a true/false value.
The most common block text tagging error is using a single wrapper tag for the entire cybersecurity section rather than applying the specific CYD taxonomy elements to the specific text segments they are designed to tag. A filing that wraps the entire Item 1.05-equivalent section in a single generic block text element is not correctly tagged under the CYD taxonomy.
What Is the "Cybersecurity Risk Materially Affected" Flag and When Must You Use It?
The CYD taxonomy includes a boolean element that functions as a material impact indicator. This element, which the White and Case 2026 reporting guide describes as the "Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant" flag, is a detail-tagged true/false value that must be included in every Form 10-K cybersecurity disclosure and in every Form 8-K Item 1.05 disclosure.
The flag serves a specific structural purpose in the XBRL data: it allows automated data consumers, including the SEC's own examination tools, to filter filings based on whether the registrant affirmatively indicated that a cybersecurity risk had, or was reasonably likely to have, a material effect on the registrant. The flag is part of what makes the structured data comparable across companies.
The flag must be set to "true" when the registrant is disclosing a material cybersecurity incident or when the annual Item 106 disclosure affirmatively states that cybersecurity risks have materially affected or are reasonably likely to materially affect the company's business strategy, results of operations, or financial condition.
The flag must be set to "false" when the registrant's annual disclosure affirmatively states that no cybersecurity risks have had or are reasonably likely to have a material effect on the company. A company that includes generic boilerplate language about cybersecurity risks without making an affirmative materiality determination in either direction should review whether the disclosure itself complies with Item 106 before worrying about the flag value.
For the Q2 10-Q Part II disclosure, the flag applies specifically to the incident disclosure context. If an incident is being disclosed in Part II (meaning it was not previously reported on a Form 8-K Item 1.05 or is being updated), the flag must reflect whether the incident was determined to be material. If it was material (which is why it is being disclosed under the Item 1.05 equivalent standard), the flag should be set to "true."
One specific error the Gibson Dunn survey of S&P 100 companies flagged: some companies are including the material impact indicator in their annual Form 10-K but not carrying the same indicator through to their Form 8-K Item 1.05 filings when they report incidents during the year. The consistency between the annual flag and the incident-level flags is something the SEC's structured data review tools can check automatically.
What Did the SEC's Cyber and Emerging Technologies Unit Signal About Enforcement?
In February 2025, the SEC announced the formation of the Cyber and Emerging Technologies Unit (CETU), replacing the prior Crypto Assets and Cyber Unit. The unit focuses on combatting cyberfraud and protecting retail investors from risks emerging from technology misuse, using sophisticated data analytics.
The signal from CETU for cybersecurity disclosure compliance is not about comment letters. Comment letters are the mechanism used when the staff wants a company to revise its disclosures. Enforcement actions are brought when the conduct is more serious, such as materially false or misleading statements, failure to disclose material incidents, or deliberate evasion of disclosure obligations.
The White and Case 2026 reporting season guide specifically flags that the SEC's CETU has shifted from comment letter activity toward enforcement posture on cybersecurity disclosures. Two specific areas where enforcement risk is highest based on the public record:
First, incident timing. The SEC has brought enforcement actions against SolarWinds (2023) and against companies that delayed disclosure of material cybersecurity incidents beyond the four-business-day deadline in Form 8-K Item 1.05. The four-business-day clock runs from when the company determines that a cybersecurity incident is material, not from when the incident occurred or was discovered. Companies that have experienced incidents in Q2 2026 need to confirm that their materiality determination timing and their disclosure timing were consistent with the Item 1.05 rule.
Second, AI washing and cybersecurity washing. The CETU has been attentive to companies that make affirmative claims about their cybersecurity capabilities in their disclosures or marketing materials that are not substantiated by their actual practices. This is the cybersecurity equivalent of the AI washing enforcement the SEC brought in 2024.
For iXBRL compliance specifically, enforcement of structured data tagging deficiencies has historically been through deficiency notices and EDGAR filing corrections rather than through enforcement actions. But the CETU's broader enforcement posture on cybersecurity disclosures means that iXBRL errors in cybersecurity filings are more likely to be identified through automated review and less likely to be dismissed as administrative errors than in prior years.
What Are the Most Common iXBRL Tagging Errors in Cybersecurity Disclosures?
Based on the Gibson Dunn survey of S&P 100 Form 10-K filings through November 2024 and the EDGAR structured data review process, the following errors appear most frequently in cybersecurity iXBRL disclosures.
Using UGT elements instead of CYD elements. The cybersecurity disclosure must be tagged using the CYD taxonomy, not using generic US GAAP taxonomy elements for narrative disclosures. A company that tags its cybersecurity risk management narrative using a generic "us-gaap:OtherSignificantNoncashTransactionValueOfConsideration" or similar misapplied element is not complying with the CYD tagging requirement. The EDGAR filing system may accept such a filing without error, but the structured data will not be usable for the SEC's comparative analytics purposes.
Single-wrapper block text instead of granular element application. As noted above, tagging the entire cybersecurity section with a single block text element misses the granularity the CYD taxonomy requires. The narrative elements must be applied to the specific text segments they describe.
Missing the materiality indicator boolean. The "Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant" flag is a required element. Filing teams that treat it as optional will have a structurally incomplete CYD tagging.
Inconsistent flag values between the 10-K and Form 8-K. If the annual 10-K flags a material cybersecurity risk as "true" but the Form 8-K Item 1.05 filed during the year for an incident does not include the materiality flag at all, the structured data is inconsistent. The flag is required in both form types.
Using the CYD 2023 taxonomy when the 2024 taxonomy is required. The CYD 2024 taxonomy superseded the 2023 version. For fiscal years ending on or after December 15, 2024, the CYD 2024 taxonomy must be used. Filing teams whose EDGAR platform configuration was set up in 2023 and not updated may be using the older taxonomy version.
Tagging Form 8-K Item 1.05 updates without tagging the original. When a company files a Form 8-K Item 1.05 update describing a material change to a previously disclosed incident, the update filing must also be tagged using the CYD taxonomy. Filing teams that tagged the original 8-K but not the amendment are non-compliant on the amendment.
[Visual suggestion 2: Common CYD tagging errors and corrections table] Place here. A three-column table: Error / What it looks like in the filing / Correct approach. Row 1 (Wrong taxonomy): UGT element applied to cybersecurity narrative / CYD taxonomy element applied with block text tag. Row 2 (Single wrapper): Entire Item 1C tagged as one block / Separate CYD elements for risk management narrative, incident narrative, governance narrative, and materiality indicator. Row 3 (Missing boolean): Materiality flag absent from filing / CYD:CybersecurityRiskMateriallyAffectedOrReasonablyLikelyToMateriallyAffectRegistrant set to "true" or "false". Row 4 (Wrong taxonomy version): CYD 2023 namespace in filing / CYD 2024 namespace for filings covering fiscal years ending on or after December 15, 2024. Row 5 (Missing 8-K update tag): Original 8-K tagged, amendment not tagged / Both the original 8-K and every subsequent amendment must include CYD tagging. This is the checklist a filing team's XBRL specialist uses when reviewing the cybersecurity tagging before submission.
How Does Item 1.05 Form 8-K Material Incident Disclosure Interact With Your Quarterly iXBRL?
The interaction between Form 8-K Item 1.05 and the Q2 10-Q Part II disclosure is the most operationally important relationship for understanding what iXBRL tagging your quarterly filing requires.
Under the SEC's cybersecurity rules, a company that experiences a material cybersecurity incident must report it on Form 8-K Item 1.05 within four business days of determining the incident is material. If the company also has a quarterly Form 10-Q filing due around the same time, it must also include the incident disclosure in Part II of the 10-Q.
The relationship between the two disclosures:
If the Form 8-K Item 1.05 was filed before the 10-Q was filed, the 10-Q Part II disclosure can cross-reference the 8-K and incorporate the incident disclosure by reference. The iXBRL tagging obligation for the cross-referenced content attaches to the original 8-K. The 10-Q itself still needs to confirm the incident disclosure in Part II, and if that confirmation text is substantive rather than a pure cross-reference, it needs appropriate CYD tagging.
If a material incident occurs during Q2 but is not required to be disclosed until after the 10-Q is filed (for example, if the materiality determination is made in July after the Q2 period has ended), the incident is not required to be in the Q2 10-Q. It would be disclosed on a standalone Form 8-K Item 1.05.
If an incident occurred in Q2 and the company determined materiality during Q2 but missed the four-business-day Form 8-K deadline, the incident should be disclosed in the 10-Q Part II along with an explanation of why the standalone Form 8-K was not timely filed. The iXBRL tagging for that in-10-Q disclosure follows the CYD taxonomy requirements for incident narrative disclosure.
For Q2 2026 specifically: if the company filed any Form 8-K Item 1.05 during Q2 2026 (April 1 through June 30), it should confirm that: the Form 8-K was filed within four business days of the materiality determination; the Form 8-K was tagged using the CYD 2024 taxonomy; the 10-Q Part II contains a disclosure of the same incident (or an appropriate cross-reference); and the 10-Q tagging is consistent with the 8-K tagging.
A Q2 2026 Cybersecurity iXBRL Tagging Checklist for Filing Teams
This checklist covers the specific iXBRL tagging obligations for the Q2 2026 Form 10-Q. Work through this before submission.
Step 1: Confirm whether any material cybersecurity incident disclosure is required in Part II. Did a material cybersecurity incident occur during Q2 2026 (April 1 through June 30) that requires disclosure? Was it previously reported on Form 8-K Item 1.05? If it was previously reported and the 10-Q will cross-reference the 8-K, confirm the cross-reference language and confirm that the original 8-K was tagged with the CYD taxonomy.
Step 2: If a new incident disclosure appears in Part II, confirm the CYD taxonomy is loaded in your EDGAR filing platform. Confirm that your platform is using the CYD 2024 taxonomy (not CYD 2023). Confirm that the CYD taxonomy namespace is declared at the top of the Inline XBRL document.
Step 3: Apply block text tags to each narrative element separately. Do not wrap the entire Part II cybersecurity section in a single block text element. Apply the CYD incident narrative element to the description of the incident's nature, scope, and timing. Apply the CYD impact description element to the description of the material impact or reasonably likely material impact.
Step 4: Apply the materiality indicator boolean. Set the CYD:CybersecurityRiskMateriallyAffectedOrReasonablyLikelyToMateriallyAffectRegistrant element to "true" if the incident was determined to be material. This is a required detail-tagged boolean.
Step 5: Apply detail tags to dates and amounts. Any specific dates in the disclosure (date incident was discovered, date of materiality determination if disclosed) require CYD date elements as detail tags. Any specific financial amounts require CYD amount elements.
Step 6: Confirm consistency with the most recent Form 10-K. If the December 31, 2025 Form 10-K included cybersecurity iXBRL tagging, confirm that the taxonomy version and element usage in the Q2 10-Q are consistent with the 10-K tagging.
Step 7: Validate the XBRL before filing. Run the EDGAR filing validation tool to confirm there are no taxonomy conformance errors in the cybersecurity tagging. A passing validation does not guarantee the tagging is substantively correct (EDGAR validation catches structural errors, not semantic errors like using the wrong element), but a validation failure guarantees there is an error.
Frequently Asked Questions
Is cybersecurity iXBRL tagging required in the Q2 2026 10-Q?
Yes, for any material cybersecurity incident disclosure that appears in Part II of the Q2 10-Q. The iXBRL tagging requirement for Form 8-K Item 1.05-equivalent disclosures became mandatory beginning December 18, 2024. For calendar-year companies, Q2 2026 is the fifth quarterly period subject to this requirement. If the company has no material cybersecurity incident to disclose in Q2, there is no incident-specific CYD tagging required in the 10-Q.
What is the Cybersecurity Disclosure Taxonomy?
The Cybersecurity Disclosure taxonomy (CYD taxonomy) is a separate XBRL taxonomy created by the SEC for tagging cybersecurity disclosures in iXBRL. It is distinct from the US GAAP taxonomy and contains elements specific to cybersecurity risk management, governance, strategy, and incident reporting. The CYD 2024 taxonomy must be used for disclosures in fiscal years ending on or after December 15, 2024.
What is block text tagging for cybersecurity disclosures?
Block text tagging is the iXBRL method for tagging narrative or qualitative text. A block text tag wraps a section of text and attributes it to a specific XBRL element. For cybersecurity disclosures, the descriptions of incident nature, scope, timing, and impact are block-text-tagged using the corresponding CYD taxonomy elements. Block text tagging is distinct from detail tagging, which applies to specific quantitative values such as dates and amounts.
What is the "materially affected" flag in the cybersecurity taxonomy?
The CYD:CybersecurityRiskMateriallyAffectedOrReasonablyLikelyToMateriallyAffectRegistrant element is a boolean (true/false) indicator that must be included in every Form 10-K cybersecurity disclosure and in every Form 8-K Item 1.05 material incident disclosure. Set to "true" when the registrant is disclosing a material incident or affirmatively stating that cybersecurity risks have materially affected or are reasonably likely to materially affect the company. Set to "false" when the company affirmatively states the opposite.
What is the SEC's Cyber and Emerging Technologies Unit?
The CETU was announced in February 2025, replacing the prior Crypto Assets and Cyber Unit. It focuses on combatting cyberfraud and protecting investors from technology-related misconduct, using data analytics. The unit has signalled a shift from comment letter activity toward enforcement posture on cybersecurity disclosures, with heightened attention to incident timing, accuracy of cybersecurity capability claims, and structured data compliance.
Key Takeaways
- The Q2 2026 Form 10-Q does not contain Item 106 cybersecurity disclosures. Item 106 is an annual disclosure in Form 10-K Item 1C. The Q2 10-Q contains cybersecurity disclosure only in Part II for material incidents that were not previously reported on Form 8-K Item 1.05.
- Mandatory iXBRL tagging for Form 8-K Item 1.05 cybersecurity disclosures began December 18, 2024. Q2 2026 is the fifth quarterly period subject to this requirement for calendar-year companies.
- The Cybersecurity Disclosure taxonomy (CYD 2024) must be used for all cybersecurity iXBRL tagging. It is separate from the US GAAP taxonomy and must be explicitly loaded in the EDGAR filing environment. Using UGT elements for cybersecurity narrative disclosures instead of CYD elements is a tagging error.
- Block text tagging applies to narrative descriptions (incident nature, scope, timing, impact). Detail tagging applies to quantitative values (dates, financial amounts). The materiality indicator boolean must be detail-tagged as true or false in every cybersecurity disclosure.
- The five most common errors are: using UGT elements instead of CYD elements, wrapping the entire section in a single block text tag, missing the materiality indicator boolean, using the CYD 2023 taxonomy instead of CYD 2024, and failing to tag Form 8-K amendments.
- The SEC's Cyber and Emerging Technologies Unit has shifted from comment letters toward enforcement posture. iXBRL tagging deficiencies in cybersecurity filings are more likely to be identified through automated review and less likely to be dismissed as administrative errors than in prior years.
- If a Form 8-K Item 1.05 was filed during Q2 2026, confirm it was tagged with CYD 2024, that the 10-Q Part II contains a consistent disclosure, and that any amendments to the original 8-K were also tagged.








