SEC Form 10-K Item 1.06 Cybersecurity Disclosure Guide 2026

Introduction: Why Your 10-K Cybersecurity Disclosure Is Under More Scrutiny in 2026

Generic cybersecurity disclosures are drawing comment letters. The SEC's rule took effect for fiscal years ending on or after December 15, 2023, and 2026 filings mark the second full reporting cycle — the environment has shifted since year one.

The SEC has now issued comment letters, XBRL tagging requirements have kicked in for fiscal years ending on or after December 15, 2024, and institutional investors are comparing your disclosure against last year's version and against your peers. Generic language that passed initial review is drawing closer scrutiny.

The tension boards and CISOs face is real: disclosures must be specific enough to give investors decision-useful information, yet general enough not to expose security vulnerabilities or create legal liability.

The SEC is watching for both omissions and overstatements. The SolarWinds enforcement action made clear that aspirational language carries its own risk.

This guide gives boards and their advisors the framework to build a disclosure they can defend — grounded in what the SEC is actually scrutinizing, what S&P 100 filers are doing, and where comment letters are landing.

TL;DR

  • Item 1C (Item 1.06 of Regulation S-K) requires four disclosures: risk management processes, material impact assessment, board oversight, and management expertise.
  • 66% of S&P 100 companies structure Item 1C in two sections mirroring Item 1.06 — risk management and governance — with an average length of 980 words.
  • XBRL tagging now forces a true/false materiality flag — vague prose no longer lets you avoid a definitive position.
  • The SEC's most common comment letters target missing sections, vague management expertise descriptions, and insufficient ERM integration detail.
  • Where your public disclosures diverge from internal reporting is exactly where enforcement and litigation exposure concentrates.

What Item 1.06 Actually Requires: The Four Core Obligations

Terminology note: "Item 1.06" and "Item 1C" refer to the same disclosure. Item 1C is the location in the Form 10-K; Item 106 of Regulation S-K is the underlying rule. The SEC adopted this rule on July 26, 2023, and it applies to all domestic public companies filing Form 10-K.

The rule imposes four discrete obligations. The first two address what your company does about cybersecurity risk; the second two address who is responsible for overseeing it.

1. Risk Management Processes — Item 106(b)(1)

Describe your processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand them. The non-exclusive list includes:

  • Whether and how these processes integrate into your overall enterprise risk management (ERM) system
  • Whether you engage third parties such as assessors, auditors, or consultants
  • How you oversee cybersecurity risks associated with third-party service providers

Four core Item 106 cybersecurity disclosure obligations process flow diagram

2. Material Impact — Item 106(b)(2)

Describe whether any risks from cybersecurity threats — including from previous incidents — have materially affected or are reasonably likely to materially affect the registrant, including business strategy, results of operations, or financial condition.

3. Board Oversight — Item 106(c)(1)

Describe the board's oversight of cybersecurity risks, identify any responsible committee or subcommittee, and explain the processes by which the board or committee is informed about those risks.

4. Management's Role — Item 106(c)(2)

Describe management's role in assessing and managing material cybersecurity risks, including:

  • Which positions or committees are responsible
  • The relevant expertise of those individuals
  • How management monitors and is informed of incidents
  • Whether and how management reports to the board

Cybersecurity Risk Management and Strategy: What to Disclose

Framework References and Their Risks

Most companies structure this section around framework alignment, risk assessment processes, program elements, and third-party risk management. According to Gibson Dunn's survey of 97 S&P 100 companies' 2024 Form 10-K filings, 60% referenced one or more external frameworks or standards, with the NIST Cybersecurity Framework cited by 51 companies.

One critical caution: citing a framework without meeting its standards creates legal exposure. The SEC alleged in the SolarWinds complaint that the company publicly claimed NIST alignment while internal assessments showed multiple controls were unmet.

The litigation was ultimately dismissed by joint stipulation in November 2025, but the underlying disclosure theory — that overstating cybersecurity practices constitutes a material misstatement — remains viable. Specifically, the SEC's position was that claiming alignment with a framework you haven't actually implemented is a misstatement, not merely an aspirational disclosure.

Disclose framework alignment only where you can support it with internal assessments.

Third-Party Risk Management

Item 106(b)(1)(iii) specifically requires discussion of how you oversee cybersecurity risks from vendors and service providers. That means describing:

  • Due diligence and vendor questionnaire processes
  • Contractual security requirements
  • Ongoing monitoring and evaluation

All 97 surveyed S&P 100 companies addressed third-party risk. 90% disclosed that they evaluate, monitor, or conduct due diligence on vendor cybersecurity practices; 42% reported requiring vendors to adhere to specific cybersecurity management processes.

ERM Integration — A Focal Point for 2026

Item 106(b)(1)(i) requires disclosure of whether and how cybersecurity risk management processes are integrated into your overall ERM system. 90% of S&P 100 companies disclosed this integration. More practically, the SEC has issued comment letters specifically requesting more detail here — making it a self-review priority before you finalize a 2026 filing.

What to Avoid in This Section

  • Naming specific security technology vendors or tool configurations
  • Disclosing granular technical controls (firewall rules, specific detection thresholds)
  • Using compliance certification language for frameworks not fully implemented
  • Treating this section as a technical security document

The disclosure should operate at the governance and program level, not the control level.

Board and Management Governance: The Disclosure the SEC Scrutinizes Most

Board Oversight Structure

The SEC expects you to describe how the board actually governs cybersecurity risk — not just assert that it does. Generic "the board oversees all enterprise risk" language is insufficient.

According to Gibson Dunn's survey:

  • 68% reported that the full board holds enterprise-wide risk oversight
  • 66% delegated primary cybersecurity oversight to a committee
  • Among those delegating, 78% assigned responsibility to the audit committee and 19% to a risk committee

S&P 100 board cybersecurity oversight structure statistics comparison infographic

The board needs to document the actual division of responsibility before drafting this section. Boards that discover ambiguity here — for example, where both the full board and the audit committee nominally "oversee" cybersecurity without clear primacy — face a disclosure problem that is also a governance problem.

Management Role and Expertise

Item 106(c)(2) requires identification of specific management positions responsible for cybersecurity, along with a meaningful description of their expertise. Vague or aggregated descriptions have triggered comment letters.

Meaningful expertise descriptions include:

  • Prior roles and organizations (not just titles)
  • Years of experience in cybersecurity or relevant functions
  • Certifications (CISSP, CISM, and similar)
  • Relevant educational background or executive programs
  • Crisis leadership and incident response experience

99% of S&P 100 companies identified at least one responsible management position; 78% named a CISO specifically.

Reporting Cadence

Companies must explain how management informs the board of cybersecurity risks, threats, and incidents. 82% of surveyed S&P 100 companies disclosed regular reporting cadences; 61% described a process for escalating significant incidents.

A defensible disclosure requires a documented reporting rhythm. Ad hoc processes that depend on individual judgment don't hold up in a comment letter response or litigation. At minimum, document:

  • Quarterly formal updates to the board or audit committee
  • Monthly management-level reporting on risk posture
  • Defined escalation triggers for material events

When the Governance Gap Is the Real Problem

For organizations without a standing CISO or a board member with cybersecurity governance experience, Item 106(c) disclosures may expose an actual gap — not a drafting problem. The disclosure can't credibly describe oversight processes that don't exist in practice.

Engaging a board advisor or interim CISO before drafting accomplishes two things: it strengthens the actual oversight program, and it ensures the disclosure reflects something defensible. Tyson Martin's board advisory practice addresses this directly — helping boards establish documented decision rights, reporting cadences, and escalation thresholds before a disclosure is finalized, rather than building a narrative around a process that hasn't been built.

The Materiality Question: Disclosing Whether Cyber Risks Have Affected Your Business

Item 106(b)(2) requires disclosure of whether cybersecurity risks have materially affected — or are reasonably likely to materially affect — the registrant. The obligation runs in both directions: past impact and anticipated future impact.

Three Approaches Companies Have Taken

Approach Description Prevalence
Track the language and respond in the negative Mirrors Item 106(b)(2) text; often uses a knowledge qualifier ("we are not aware of...") and a temporal scope 40% of S&P 100 (Gibson Dunn)
Address backward-looking only Handles the prior-impact component; treats forward-looking component vaguely or with a boilerplate disclaimer Common among companies with prior incidents
Cross-reference to Item 1A Points to Risk Factors section rather than responding directly in Item 1C 22% of S&P 100 (90% of that group cross-referenced 1A)

Why XBRL Changes the Calculus

The third approach — cross-referencing to Risk Factors — is harder to sustain now. Item 1C XBRL tagging includes a required true/false flag: "Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant." Vague or cross-referenced prose must resolve into a binary answer in the structured data — "yes" or "no," on the record.

One rule boards must internalize: if a cybersecurity risk has already materialized, it cannot be described in hypothetical terms. Risks that have occurred must be disclosed as such — not recast as future possibilities.

What the SEC Is Flagging: Comment Letter Patterns to Watch in 2026

As of November 30, 2024, Gibson Dunn identified five Item 1C comment letters — all issued to smaller companies outside the S&P 100. Four patterns emerged that apply across company sizes:

  1. Missing Item 1C entirely — Two letters requested refiling because the section was omitted. The SEC staff comment quoted by TheCorporateCounsel.net: "We note you do not include Item 1C. Cybersecurity. Please revise or advise us why you do not provide disclosures as applicable under Item 106 of Regulation S-K."

  2. Inconsistent third-party statements — One company stated it did not engage third parties in its Item 1C disclosure while elsewhere disclosing that its audit committee received updates from third-party IT specialists. Internal consistency is a threshold issue.

  3. Insufficient management expertise detail — SEC staff requested that registrants separately identify individual management positions responsible for cybersecurity and describe the relevant expertise of those individuals — not just name a committee.

  4. Insufficient ERM integration detail — Requests for more specificity on how cybersecurity risk processes connect to overall enterprise risk management, as required under Item 106(b)(1)(i).

Four SEC comment letter patterns triggering Item 1C cybersecurity disclosure deficiencies

Each of these four deficiencies has a direct enforcement implication — which the SEC's active enforcement posture makes worth understanding before the 10-K goes out.

Enforcement Context

The SEC's Cyber and Emerging Technologies Unit — announced February 20, 2025 and led by Laura D'Allaird — comprises roughly 30 attorneys and fraud specialists. Its stated focus is fraudulent cybersecurity disclosure by public issuers.

The SolarWinds litigation was dismissed by joint stipulation in November 2025. The disclosure-accuracy theory it established, however, remains the operative framework for enforcement scrutiny going forward.

Building a Defensible 2026 Disclosure: Practical Guidance for Boards and CISOs

Structure and Length

66% of S&P 100 companies organize Item 1C into two sections mirroring Item 106: risk management and strategy, and governance. The average disclosure across S&P 100 filings runs 980 words — roughly 1.5 pages. The range spans 368 to 2,023 words.

Aim for long enough to address all four obligations substantively, but short enough to stay readable without creating additional surface area for comment letters or litigation. A disclosure that reads like a technical security manual isn't a strength. It becomes a liability the moment any described control fails to function as claimed.

The Internal Consistency Requirement

This is where boards and CISOs most commonly underestimate their exposure. The 10-K disclosure must accurately reflect how cybersecurity risk is actually reported and governed internally.

Common mismatches that create problems:

  • Disclosing quarterly board reporting when reporting is actually ad hoc
  • Describing clear escalation thresholds when none have been defined and tested
  • Naming a CISO as responsible when the role is vacant or the person lacks the described authority
  • Claiming ERM integration when cybersecurity risk is siloed from the broader risk management process

The gap between what is disclosed and what actually happens is where SEC enforcement and securities litigation exposure concentrates. Independent validation of the disclosure against internal governance realities, completed before filing, is how boards close that gap.

Using the Disclosure Process as a Governance Health Check

The act of drafting Item 1C surfaces governance questions that boards should be able to answer clearly:

  • Who has authority to accept cybersecurity risk, and at what threshold?
  • Who declares incident severity and can authorize system shutdowns?
  • What reporting cadence actually exists — documented and recurring?
  • Does the CISO's expertise description match what the role requires?
  • Are cybersecurity risks visible to the audit committee before they become material?

If these questions don't have clean answers, the disclosure process has done its job. It's surfaced real governance gaps before they become public through a comment letter or an incident. Boards that find significant gaps during this process can engage a board advisor to establish documented governance before finalizing the filing.

Frequently Asked Questions

What are the four things Item 106 of Regulation S-K actually requires in a Form 10-K?

Item 106 requires: (1) a description of processes for assessing, identifying, and managing cybersecurity risks; (2) whether those risks have materially affected or are likely to affect the registrant; (3) board oversight of cybersecurity risks and how the board is informed; and (4) management's role, expertise, and reporting process on cybersecurity risks.

How long should a company's cybersecurity disclosure in Item 1C be?

S&P 100 filings average 980 words (roughly 1.5 pages), ranging from 368 to 2,023 words. Length should be proportionate to the company's actual risk profile. Avoid both the placeholder paragraph and the overly detailed technical manual — the latter creates exposure if any described control doesn't perform as stated.

What has the SEC specifically criticized in its comment letters on Item 1C disclosures?

Four patterns: omitting Item 1C entirely, making inconsistent statements about third-party engagement, providing insufficient detail on individual management positions and their expertise, and failing to explain how cybersecurity risk processes connect to overall enterprise risk management.

Does the board need members with cybersecurity expertise to satisfy the governance disclosure requirements?

Item 106 does not require directors with cybersecurity expertise; the SEC dropped that proposal from the final rule. The rule does require a description of the board's actual oversight process. Note that ISS QualityScore separately evaluates director information security experience, which can affect governance ratings independently.

What happens if our 10-K cybersecurity disclosure doesn't match our internal security practices?

Disclosures that overstate cybersecurity practices — even in aspirational terms — can constitute a material misstatement under SEC enforcement theory. The SolarWinds case tested this directly; though ultimately dismissed, the legal theory remains intact. Inconsistencies between your filing and internal assessments create both SEC enforcement and securities litigation exposure.

What is the XBRL tagging requirement for Item 1C, and why does it matter?

Beginning with Form 10-K filings for fiscal years ending on or after December 15, 2024, companies must tag Item 1C using the SEC's Cybersecurity Disclosure (CYD) taxonomy within Inline XBRL. The taxonomy includes a required true/false flag on material impact. That single data point requires companies relying on vague or cross-referenced prose to take a definitive public position.