Annual Cybersecurity Risk Management Disclosure (Form 10-K)

Annual Cybersecurity Risk Management Disclosure (Form 10-K) means your registrant must describe, in plain English, the processes you use to assess, identify, and manage material cybersecurity risks, plus the governance around those processes, and whether cyber risks have materially affected or are reasonably likely to materially affect the business. Your job is to turn actual cyber risk management and board oversight into a disclosure-ready narrative that is accurate, complete, and consistently supportable with evidence. (SEC Release No. 33-11216)

Key takeaways:

• Item 106 requires process-and-governance disclosure, not a generic “we take security seriously” statement. (SEC Release No. 33-11216)
• You must address third-party oversight as part of cybersecurity risk management processes. (SEC Release No. 33-11216)
• Build a repeatable disclosure package: scoped owners, control-to-disclosure mapping, and evidence that matches what you say in the 10-K. (SEC Release No. 33-11216)

For a CCO, GRC lead, or compliance owner supporting SEC reporting, Regulation S-K Item 106 is a coordination problem disguised as a disclosure requirement. The text is short, but the operational lift is real: you need consistent definitions of “material cyber risk,” a documented risk management process that can be explained without overpromising, and a governance model that shows who is accountable (management) and who provides oversight (the board). (SEC Release No. 33-11216)

Item 106 is also one of the fastest ways to create avoidable exposure if your disclosure is aspirational, stale, or misaligned with how the company actually runs cybersecurity. If your 10-K says you oversee third-party service providers, an auditor (or plaintiff’s counsel) will ask what that oversight looks like, who performs it, and where the proof is. If you say the board oversees cyber risk, you need meeting materials and reporting to back it up. (SEC Release No. 33-11216)

This page gives requirement-level implementation guidance you can execute: who owns what, the disclosure inputs you must gather, the artifacts to retain, and a practical execution plan to get from “we have security activities” to “we can defend our 10-K disclosure.” (SEC Release No. 33-11216)

Regulatory text

What the rule says (operator-relevant excerpt): Registrants must describe their processes for assessing, identifying, and managing material risks from cybersecurity threats, including whether any risks from cybersecurity threats have materially affected or are reasonably likely to materially affect the registrant. (SEC Release No. 33-11216)

What Item 106 adds in practice: Regulation S-K Item 106 requires annual Form 10-K disclosure describing (1) cybersecurity risk management processes, including use of assessors/consultants/auditors and oversight of third-party service providers, and (2) governance, including board oversight and management’s role. (SEC Release No. 33-11216)

Operator translation: You need a disclosure-ready description of real, functioning cybersecurity risk management and governance. The disclosure must be specific enough to be meaningful, but not so detailed that it becomes a commitment you cannot meet consistently.

Plain-English interpretation (what you must convey)

Your Form 10-K should explain, in business language:

1. How you find cyber risk: What signals feed the process (risk assessments, vulnerability management, threat intel, incident learnings, third-party issues) and how often you re-evaluate risk. (SEC Release No. 33-11216)
2. How you decide what is “material”: How cyber risk is elevated, evaluated, and communicated for potential materiality analysis, including management escalation paths. (SEC Release No. 33-11216)
3. How you manage the risk: The governance and operational mechanisms that reduce, transfer, accept, or avoid cyber risk (policies, controls, remediation, insurance, third-party requirements). (SEC Release No. 33-11216)
4. How third parties are overseen: What processes exist to oversee cybersecurity risk from third-party service providers that could affect you. (SEC Release No. 33-11216)
5. Who is responsible: Board oversight and management’s role, described accurately and consistently with actual meeting cadence, charters, and reporting. (SEC Release No. 33-11216)
6. Whether cyber risk has materially affected or is reasonably likely to materially affect you: A clear statement that is aligned with your internal materiality evaluation and known events. (SEC Release No. 33-11216)

Who it applies to

Entity scope

• Registrants filing Form 10-K that must comply with Regulation S-K Item 106. (SEC Release No. 33-11216)

Operational context (who inside the company must participate)

This is never a “security-only” deliverable. Expect shared ownership across:

• Legal / SEC reporting (Form 10-K drafting, disclosure controls and procedures)
• CISO / Security leadership (program reality, metrics, incidents, risk registers)
• Enterprise Risk Management (ERM) (risk taxonomy, escalation, board reporting)
• Third-party risk management (TPRM) (third-party oversight narrative and evidence)
• Internal audit (independent assessment, testing, and evidence discipline)
• Board and relevant committees (oversight structure, chartered responsibilities) (SEC Release No. 33-11216)

What you actually need to do (step-by-step)

Step 1: Set disclosure ownership and “single source of truth”

• Appoint a Disclosure Owner (often Legal/SEC reporting) and a Program Owner (often CISO or GRC) responsible for the factual basis behind statements.
• Create a controlled Item 106 Disclosure Workbook that captures each required topic, draft language, named internal owners, and supporting evidence links.
• Align this with your disclosure controls so updates are managed like other 10-K inputs. (SEC Release No. 33-11216)

Step 2: Define “material cyber risk” for disclosure purposes

• Document how cybersecurity risk ties to your enterprise materiality framework (financial, operational, legal/regulatory, reputational).
• Write down escalation triggers (qualitative is fine) and who participates in the determination.
• Keep the definition stable year-to-year; if it changes, document the reason and governance approval. (SEC Release No. 33-11216)

Step 3: Map your actual cybersecurity risk management process to Item 106(b)

Build a process narrative that is true on your worst day, not your best day:

• Assessing: periodic risk assessments, control assessments, maturity reviews, and how results are prioritized.
• Identifying: vulnerability management inputs, incident trends, internal control findings, third-party issues, and how they enter the risk register.
• Managing: treatment planning, remediation governance, risk acceptance authority, and how progress is tracked. (SEC Release No. 33-11216)

Third-party oversight: Describe the lifecycle you actually run (intake, due diligence, contracting requirements, ongoing monitoring, offboarding) for service providers that can impact your cybersecurity risk. If your program only covers certain tiers of third parties, say so carefully and accurately. (SEC Release No. 33-11216)

Use of external parties: If you engage assessors, consultants, or auditors, document what they do (assessment, penetration testing, program review) and how outputs are fed into risk management decisions. (SEC Release No. 33-11216)

Step 4: Document governance for Item 106(c) (board oversight + management role)

• Identify the board body with cyber oversight (full board, audit committee, risk committee) and confirm documentation (charter, meeting agendas).
• Describe management’s role: who leads (CISO, CIO, risk leader), how often they report up, and what topics are covered (risk posture, incidents, third-party risk, remediation).
• Confirm internal consistency: the story in the 10-K must match committee charters, board minutes, and enterprise risk reporting. (SEC Release No. 33-11216)

Step 5: Build a defensible “material impact” statement

• Inventory cybersecurity incidents, significant risk acceptances, and known exposures evaluated during the reporting period.
• Document how you assessed whether cyber risks have materially affected or are reasonably likely to materially affect the registrant, including who reviewed and approved the conclusion.
• Avoid absolute statements (“no impact is possible”). Stick to what you can support. (SEC Release No. 33-11216)

Step 6: Run a disclosure quality gate (accuracy, completeness, provability)

Before finalizing:

• Cross-check every non-trivial claim against an artifact (policy, charter, risk committee deck, third-party assessment workflow evidence).
• Validate “present tense” statements. If you write “we oversee,” make sure oversight is ongoing, not a plan.
• Confirm the disclosure matches how cybersecurity risk is described in ERM and other public disclosures. (SEC Release No. 33-11216)

Step 7: Operationalize as an annual repeatable cycle

Treat Item 106 as a standing control:

• Maintain the workbook year-round.
• Feed it from security governance routines (risk committee outputs, board decks, third-party monitoring results).
• Re-approve disclosure language after any significant program change. (SEC Release No. 33-11216)

Required evidence and artifacts to retain

Keep evidence that proves both process and governance:

Risk management process (Item 106(b))

• Cyber risk management policy/standard and risk assessment methodology
• Risk register excerpts showing cyber risks, owners, treatment decisions, and approvals
• Evidence of recurring risk reviews (security risk committee agendas, minutes, decks)
• Vulnerability management and remediation governance artifacts (tickets, exception logs)
• Third-party oversight artifacts: due diligence records, security addendum templates, monitoring outputs, and offboarding checklists for in-scope third parties (SEC Release No. 33-11216)

Governance (Item 106(c))

• Board/committee charter language covering cybersecurity oversight
• Board and committee meeting materials where cyber risk is presented
• Management reporting cadence and roles/responsibilities (RACI, org charts, committee charters)
• Internal audit reports or external assessment deliverables, if referenced in disclosure (SEC Release No. 33-11216)

Disclosure controls

• Item 106 disclosure workbook with versioning
• Reviewer/approver sign-offs (Legal, CISO, ERM, CFO as applicable)
• Materiality analysis memos or decision logs supporting statements about material effects/likelihood (SEC Release No. 33-11216)

Common exam/audit questions and hangups

Expect reviewers to test “say/do” alignment:

• “Show me the process you described for identifying and managing material cyber risks.” (SEC Release No. 33-11216)
• “Which third parties are in scope for oversight, and what oversight occurs after onboarding?” (SEC Release No. 33-11216)
• “Where does the board receive cyber risk reporting, and what decisions or challenges have been documented?” (SEC Release No. 33-11216)
• “Who can accept cyber risk, and how is that documented?” (SEC Release No. 33-11216)
• “If you mention assessors/consultants/auditors, how are results tracked to remediation?” (SEC Release No. 33-11216)

Hangups that slow teams down:

• No stable definition of “material cyber risk” tied to enterprise materiality.
• Over-reliance on informal practices (“we talk about it”) without records.
• Third-party oversight described broadly while implemented narrowly. (SEC Release No. 33-11216)

Frequent implementation mistakes (and how to avoid them)

1. Writing aspirational language that becomes a commitment.
   Fix: Write what you do consistently, then improve the program and update disclosure later. (SEC Release No. 33-11216)

2. Treating third-party risk as a procurement checklist.
   Fix: Document ongoing monitoring and escalation for critical third parties, and disclose scope accurately. (SEC Release No. 33-11216)

3. Board oversight described without board-level artifacts.
   Fix: Ensure charters, agendas, and materials reflect the oversight you describe. (SEC Release No. 33-11216)

4. No evidence trail for “materially affected” conclusions.
   Fix: Keep a decision memo or log showing who evaluated cyber risk impacts and what inputs were considered. (SEC Release No. 33-11216)

5. Disclosure built once a year from scratch.
   Fix: Maintain a living workbook and feed it from recurring governance routines. Tools like Daydream help centralize third-party oversight evidence and map controls and workflows to disclosure-ready outputs without chasing documents across teams. (SEC Release No. 33-11216)

Enforcement context and risk implications

No specific public enforcement cases were provided in the source catalog for this requirement. The practical risk is still clear: if your Item 106 narrative is inconsistent with internal records, you create exposure across SEC reporting quality, internal control narratives, and stakeholder trust. Your best defense is provability: each meaningful statement should map to an owner, a process, and retained evidence. (SEC Release No. 33-11216)

Practical execution plan (30/60/90-day)

The goal is speed without guessing. Use phases and exit criteria.

First 30 days: Establish the disclosure control and collect facts

• Stand up the Item 106 Disclosure Workbook and assign owners for each subsection. (SEC Release No. 33-11216)
• Gather current-state artifacts: risk methodology, cyber risk register, board/committee charters, recent board decks, third-party oversight procedures.
• Identify “red sentences” you cannot currently prove (or that describe planned capabilities).

By 60 days: Close gaps between narrative and reality

• Rewrite draft disclosure language to match actual processes and scope. (SEC Release No. 33-11216)
• Add missing governance artifacts: schedule recurring cyber reporting to the relevant board body; standardize the management cyber risk report template.
• For third-party oversight, define scope tiers and implement minimal ongoing monitoring evidence for highest-risk service providers.

By 90 days: Make it repeatable and audit-ready

• Finalize the control-to-disclosure mapping and lock evidence retention locations.
• Run a mock challenge review (Legal + Internal Audit + CISO) against each claim: “show me.”
• Embed updates into recurring governance: risk committee outputs, third-party monitoring, incident postmortems feed the workbook continuously. (SEC Release No. 33-11216)

Frequently Asked Questions

Do we have to disclose technical details about our cybersecurity controls in the 10-K?

Item 106 focuses on processes and governance for managing material cybersecurity risks, not a control catalog. Describe your approach at a level that is accurate and supportable without creating unnecessary security or commitment risk. (SEC Release No. 33-11216)

What does “processes for overseeing third-party service providers” mean in practice?

You need to describe how you evaluate and monitor cybersecurity risk introduced by third parties that provide services to you. Your disclosure should match your real lifecycle steps, scope criteria, and escalation paths. (SEC Release No. 33-11216)

If we use outside penetration testers or auditors, do we have to mention them?

Item 106(b) contemplates disclosure about whether you engage assessors, consultants, or auditors as part of your risk management processes. If you mention them, be ready to show how outputs feed risk decisions and remediation tracking. (SEC Release No. 33-11216)

Who should own the Item 106 disclosure: Legal, Security, or ERM?

Legal typically owns the filing language and disclosure controls, but Security and ERM must own factual accuracy and provide evidence. A joint workflow with named approvers prevents “say/do” drift. (SEC Release No. 33-11216)

How do we avoid overcommitting in the disclosure while still being specific?

Use scoped, operational statements (what processes exist, who oversees them, and what inputs they use). Avoid absolute claims and promises about outcomes; focus on governance and decision-making. (SEC Release No. 33-11216)

What evidence is most likely to be requested to support the disclosure?

Board/committee materials showing cyber oversight, a cyber risk register or equivalent risk tracking, and third-party oversight records for critical service providers are common anchors. Keep them versioned and easy to retrieve. (SEC Release No. 33-11216)