Early filers showing variety in new 10K cyber-disclosures

Companies that are among the first to file their Form 10Ks under new SEC cyber-security rules are taking different approaches as governance professionals seek the best ways to comply.

An analysis by DragonGC of filings from almost 30 large public companies shows that although some commonalities are emerging in terms of new disclosures, there are frequent differences in specificities and the degree of detail firms are including in the forms.

The analysis is based on filings made between the start of 2024, when the rules went into force, and earlier this month. The rules require companies to make disclosures in their Form 10K filings about their cyber-security risk management, strategy and governance. Companies must now describe their processes for assessing, identifying and managing material risks from cyber-security threats.

The rules also require companies to report on a Form 8K material cyber-security incidents within four business days of determining that the incident is material. Governance professionals have questions about both the 10K and 8K requirements, including how to meet the SEC’s expectations while not revealing information that could raise security or liability risks.

Neil McCarthy, DragonGC's co-founder and chief product officer, tells Governance Intelligence he is surprised by the variety within the new 10K disclosures and by the details some companies provide. He notes, for example, that some firms name specific individuals involved in their cyber-security processes while others describe their internal processes for mitigating cyber-risks, such as by testing employees with fake phishing emails.

Findings
The analysis, as outlined in a new report from DragonGC, finds that the basis of cyber-security governance across companies shares common features such as charging the audit committee with oversight and assigning executive leadership to chief information security officers. But there is a range of practices in terms of specific structures, reporting mechanisms and approaches to risk management based on companies’ operational needs and strategic objectives.

For example, one company has a dedicated cyber-security committee while another assigns oversight responsibility to two separate committees. Other outliers include a company having a dedicated center for monitoring threats, ‘a unique operational component within its governance structure for real-time threat intelligence and response,’ the report states. Another company reports that its board members have cyber-security oversight certifications and that key management staff have relevant degrees and certifications.

The findings on risk management include:

• Most of the companies that have reported so far align with frameworks such as the National Institute of Standards and Technology Cybersecurity Framework, which indicates ‘a preference for leveraging industry best practices in cyber-security risk management,’ the report states
• Some companies have particularly sophisticated approaches using dedicated centers and comprehensive programs for continuous monitoring and threat analysis
• Companies are highlighting their investment in cyber-security capabilities and its integration into enterprise risk management
• Companies have different challenges and strategies, reflecting the diversity of cyber-security and threats between industries and firms.

Overall, the report finds that companies are demonstrating ‘a commitment to identifying, assessing and managing cyber-security risks through comprehensive risk-management processes, incident response plans, employee training and governance oversight. The detailed approaches to risk assessment, third-party engagement and reporting mechanisms reflect their unique operational needs and strategic priorities in the context of cyber-security.’

Looking ahead, McCarthy says he would not be surprised if the SEC releases comment letters and/or more formal guidance on its expectations for disclosures under the cyber-security rules once it has assessed a wider range of filings.

‘As more and more cyber-security disclosures are filed, DragonGC expects the disclosures will become increasingly similar, incorporating best practices broadly, with particular areas highlighted to reflect nuances across industries,’ the report authors write.

In the meantime, many governance professionals are looking at their peers’ filings for clues on how to approach their own 10Ks.