SEC 10-K Cyber Risk
Disclosure Support

Defensible, substantive cybersecurity disclosure that reflects how your organization actually manages risk.

Overview

The SEC's cybersecurity disclosure rules (effective December 2023) require publicly traded companies to explain, in their annual 10-K filing, how they assess and manage cybersecurity risk, how the board oversees it, and what role management plays. The rule is specific about what it wants. Generic boilerplate has already drawn SEC comment letters asking companies to explain their actual processes. If your company cannot articulate documented risk treatment decisions, including which risks you have chosen to accept and why, your disclosure is vulnerable.

The hardest part of Item 106 for most companies is not the governance language. It is explaining the risk acceptance decisions. The SEC wants to know that your board is informed, that management has a process, and that you can defend the choices you have made. That requires documentation that most organizations do not have when it is time to file.

Risk Treatment Narrative

We document your cybersecurity risk treatment decisions (which risks you are mitigating, transferring, avoiding, or accepting) and the business rationale behind each, in language that satisfies Item 106's process description requirement.

Board Oversight Documentation

We help you articulate how your board of directors receives and acts on cybersecurity risk information (including which committee has oversight, how often it is briefed, and how material risks are escalated).

Management Role Disclosure

We document the management-level processes, roles, and decision rights your company uses to assess and respond to cybersecurity risk, including how findings reach the people who are responsible for acting on them.

The SEC has made clear that cybersecurity disclosures must reflect reality. A disclosure that describes processes you do not actually have creates legal exposure. The goal is documentation that is both accurate and defensible.

What You Can Expect

  • Review of your existing cybersecurity program against Item 106 disclosure requirements
  • Identification of gaps between your actual practices and what your disclosure currently claims
  • Documentation of risk treatment decisions with supporting business rationale
  • Board and management oversight narrative in language suitable for SEC filing
  • Written summary of material cybersecurity risks the company has assessed and how each is being addressed
  • Guidance on maintaining disclosure accuracy as your program and risk profile evolve

Need the underlying risk program, not just the disclosure? Operational Risk Assessments build the documented risk inventory and treatment decisions that make an accurate 10-K disclosure possible in the first place.

Who This Is For

  • Public companies preparing their annual 10-K and uncertain whether their Item 106 cybersecurity disclosure meets SEC expectations
  • Organizations that received an SEC comment letter on their cybersecurity disclosure and need to respond with substance
  • Companies whose cybersecurity posture or risk treatment decisions have changed materially since their last filing
  • General counsel or CFOs who need a practitioner to translate technical risk decisions into defensible disclosure language
  • Private companies preparing for IPO or acquisition who want governance and risk documentation that will hold up to scrutiny
  • Boards seeking assurance that management's cybersecurity risk narrative accurately reflects the company's actual program

Common Questions

What does the SEC require public companies to disclose about cybersecurity in a 10-K?

Under SEC Regulation S-K Item 106, effective December 2023, public companies must disclose: (1) their processes for assessing, identifying, and managing material cybersecurity risks; (2) whether any cybersecurity threats have materially affected or are reasonably likely to materially affect the company; (3) the board of directors' oversight of cybersecurity risks; and (4) management's role in assessing and managing those risks. The rule requires substantive disclosure, not boilerplate. Companies that filed generic language in early cycles have faced comment letters from the SEC asking for more specificity.

What is cyber risk acceptance and why does it matter for SEC disclosure?

Risk acceptance is the formal decision that a known cybersecurity risk does not warrant additional mitigation investment at this time, and that the organization is willing to absorb the potential impact. Under Item 106, companies must describe their risk management processes, which includes how they identify risks and how they decide to treat them (mitigate, transfer, avoid, or accept). Undocumented risk acceptance decisions create disclosure problems: the SEC expects management to be able to explain the basis for those decisions, and boards are expected to have oversight of them.

Do private companies need to worry about SEC cybersecurity disclosure rules?

The SEC's Regulation S-K Item 106 disclosure requirements apply only to public companies (those filing annual reports on Form 10-K). However, private companies preparing for an IPO, undergoing acquisition due diligence, or seeking institutional investment often face similar questions from investors, acquirers, and their own boards. Building a defensible risk management narrative and documented risk treatment process is good practice regardless of regulatory status.

Ask A Question Book a Discovery Call