What the SEC Wants to See in Your 10-K Cybersecurity Disclosure

If you follow publicly traded companies closely, you may have noticed something tucked into their annual reports over the past few years that wasn't always there before: a section called "Item 1C – Cybersecurity." For investors, compliance professionals, and business leaders alike, this addition marks a significant shift in how the SEC expects companies to communicate about one of the most pressing risks in modern business.

But what does this section actually require? What are companies disclosing? And what does it mean for the organizations navigating these rules? This post breaks it all down.

The SEC's Cybersecurity Disclosure Rule

In July 2023, the Securities and Exchange Commission adopted a final rule requiring all public companies to provide standardized, enhanced disclosures about cybersecurity risk management, strategy, governance, and incidents. The rule became effective September 15, 2023, with most companies required to comply starting with annual reports for fiscal years ending on or after December 15, 2023.

The driving force behind the rule was straightforward: as cyber threats grow in frequency and financial impact, investors deserve consistent and timely information about how companies are managing those risks. The widespread adoption of digital technologies, the shift to hybrid work, and the rise of ransomware have all contributed to a cybersecurity risk environment that regulators can no longer ignore in financial disclosures.

The result is Regulation S-K Item 106, and its home in annual 10-K filings is Section 1C.

What Does Section 1C Actually Require?

At its core, the SEC mandates four specific disclosures in Section 1C:

1. Risk Assessment and Management Processes

Companies must describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats. This includes explaining whether those processes are integrated into broader enterprise risk management, whether third parties such as consultants or auditors are engaged, and how the company manages risks associated with third-party service providers and vendors.

2. Material Impact Disclosure

Companies must describe whether any cybersecurity risks or incidents have materially affected or are reasonably likely to materially affect their business strategy, results of operations, or financial condition.

3. Board Oversight

The rule requires a description of how the board of directors oversees cybersecurity risks, including which board committees are responsible and how they receive relevant information from management.

4. Management's Role and Expertise

Companies must describe which management positions or committees are responsible for assessing and managing cybersecurity risk, and disclose relevant expertise of those individuals. This might include prior work experience, certifications like CISSP, or advanced degrees.

These four pillars are the floor, not the ceiling. And as we'll explore next, many companies are going well beyond them.

Going Beyond the Requirements: What Companies Are Actually Disclosing

When the SEC established the core disclosure requirements, many assumed companies would do the minimum to comply. In practice, the opposite has been true. A significant number of public companies are voluntarily going beyond what the rule requires, treating Section 1C as an opportunity to demonstrate the depth and maturity of their cybersecurity programs rather than simply checking a box. The result is a section that, for many organizations, now covers far more ground than the SEC ever mandated.

Here's a look at what companies are including beyond what's required:

Cybersecurity Frameworks

More than half of companies reference one or more cybersecurity frameworks as the foundation of their programs. The NIST Cybersecurity Framework is cited most often, appearing in roughly half of all framework-referencing disclosures. ISO 27001, SOC 2, and PCI-DSS also appear regularly. Companies use varied language to describe the relationship, noting that their programs "align with," are "informed by," or "leverage" these standards. The goal is clear: demonstrate due care to investors without over-prescribing internal practices.

Governance Structures

Many companies include detailed descriptions of how cybersecurity is managed internally, who owns key processes, and how often the board or audit committee receives cybersecurity updates. This level of transparency goes beyond what the SEC requires but helps reassure investors of organizational diligence.

Third-Party Risk Management

Surveyed companies included some discussion of how they manage cybersecurity risks from vendors and service providers. Ninety percent reported evaluating or conducting due diligence on vendor cybersecurity practices, and 42% stated they require vendors to adhere to specific cybersecurity management requirements. Some companies reference the use of questionnaires, SOC 2 Type 2 reports, or ISO 27001 certifications as part of their vendor review process.

Incident Response Plans

Roughly 87% of large companies note that they have implemented formal incident response plans or procedures, and nearly all describe the use of tabletop exercises or drills to test their readiness. These disclosures are not required by the SEC but have become common practice as companies look to demonstrate operational preparedness.

Employee Training

Training emerged as one of the most frequently discussed technical controls, appearing in 83% of disclosures. Companies describe both general security awareness programs and role-specific or threat-specific training, such as phishing simulations.

The Audit Committee

Many filings include mention of the audit committee receiving cybersecurity reports. This reflects a governance reality: the audit committee is often the primary board committee responsible for cybersecurity oversight, with 78% of companies in one study identifying it in that role.

The SolarWinds Effect

No conversation about Section 1C disclosures is complete without acknowledging the case of SEC v. SolarWinds and its CISO, Timothy G. Brown. The SEC alleged that the company and its chief information security officer misled investors about its cybersecurity practices and controls in the lead-up to a major breach attributed to a Russian threat actor. The charges were a significant moment in the industry because they placed personal liability squarely on a named security executive.

That case, along with October 2024 enforcement actions against four other companies that allegedly minimized cybersecurity incidents in their disclosures, has shaped how companies approach Section 1C. Civil penalties in those cases ranged from $990,000 to $4 million. Companies are not just writing disclosures to satisfy a requirement; they are writing them with an awareness that vague, inaccurate, or inconsistent language can attract regulatory scrutiny down the road.

Materiality: Still Evolving

One of the trickier aspects of Section 1C is the concept of materiality. Companies must disclose risks that have "materially affected" or are "reasonably likely to materially affect" their business. But defining what's material in the context of a cybersecurity incident requires judgment across both quantitative and qualitative factors.

Quantitative factors include lost revenue, remediation costs, legal expenses, and impacts on net income. Qualitative factors include the nature of compromised data, harm to customer relationships, reputational damage, and the likelihood of regulatory action or litigation.

Analysis of S&P 100 disclosures found wide variation in how companies approach this requirement. About 40% track the rule's language closely and state in the negative that no material impact has occurred. Another 38% address the backward-looking aspect of the rule but are vaguer about forward-looking risks. And 22% don't address the requirement directly in Item 1C at all, instead cross-referencing their Item 1A Risk Factors section.

The SEC has also made clear that materiality assessments must be made without unreasonable delay and should involve a cross-functional team including IT professionals, accountants, and legal counsel.

What This Means for CISOs and Security Leaders

The personal exposure created by the SolarWinds case has put CISOs in an uncomfortable spotlight. As companies name specific executives in their 10-K disclosures and describe their roles, credentials, and decision-making processes, those individuals become more visible in the event of a future breach or disclosure failure.

The practical implication: CISOs and security leaders need to ensure that their programs are not just well-run but well-documented. Controls need to be operating continuously, not just at the time of disclosure. Risk assessments need to be conducted, distributed internally, and communicated to the board with appropriate regularity. Incident response plans need to be tested, not just written.

The SEC has been clear that it is not looking to penalize good-faith efforts, but it is looking to identify situations where disclosures don't reflect reality.

A Layer of Accountability

The introduction of Section 1C represented something genuinely new for public companies. For the first time, cybersecurity is not just an IT problem or a risk factor buried in the footnotes. It is a named section of an annual report with its own disclosure requirements, reviewed by SEC staff, and potentially subject to enforcement action.

For investors, this transparency offers a more consistent window into how companies think about and manage cyber risk. For companies, it creates both an obligation and an opportunity to communicate the seriousness with which they approach security.

If your organization works with publicly traded companies, serves as a vendor in their supply chain, or is planning its own path to going public, understanding Section 1C is increasingly important. The rules are clear, the enforcement activity is real, and the expectations from regulators, investors, and board members are only going to grow.

Compass IT Compliance helps organizations build, mature, and document cybersecurity programs that meet both regulatory requirements and investor expectations. Contact us to learn more about our GRC services, virtual CISO support, and compliance advisory offerings.