{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.title}}
{{item.text}}
Unpacking the first wave of Form 10-K cyber disclosures
What companies reported, what it means (so far) and next steps
Calendar year-end companies have made a significant effort to comply with the new SEC cybersecurity rules. The first wave of disclosures in Form 10-K have resulted in greater overall transparency on cybersecurity risk management, strategy and governance practices compared to disclosures in annual reports from previous years.
As expected, given the expanded disclosure requirements, nearly all companies disclosed more details on key components of cyber leadership and management roles, management strategy of third-party risk, board cyber risk oversight responsibilities and incident response protocols.
To help current and future filers enhance their understanding of how the disclosures can benefit their reporting and capabilities assessments, PwC conducted detailed research and analysis of an initial set of 10-K filings.
Comparing cyber disclosures against capabilities
A new disclosure requirement in the 10-K is intended to provide investors transparency into the filer’s strategy and process for managing cybersecurity risks.
We previously highlighted the capabilities that should align with SEC disclosure requirements in the following PwC framework. These are core tenets of a cybersecurity program.
A PwC framework
Here’s what we’ve learned so far on how program disclosures of capabilities match up with our framework and recommendations.
- Cyber risk management and strategy
- Cyber incident reporting
- Cyber governance
Cyber risk management and strategy
Initial filings reveal that over 80% of companies included details on how cyber risk and enterprise-wide risk management are integrated. Organizations also disclosed risk assessment standards they have adopted, cybersecurity frameworks used, resilience efforts and how cybersecurity fits more broadly with enterprise-wide risk management (ERM) assessment processes.
Disclosure patterns we’re seeing:
- Alignment with industry frameworks like the NIST cybersecurity framework (CSF) and ISO standards (including ISO 27001).
- Documented security requirements (policies, standards, procedures).
- How cybersecurity awareness and training programs (including frequency and types of training) are implemented.
- Cross-functional coordination and collaboration efforts across departments.
What it all means
Filers are disclosing that they’re following leading cybersecurity standards and practices to guide their strategies, processes, technologies and controls.
10-K disclosures don’t require specific details on the implementation or effectiveness of these practices — or if there are areas of the standards that haven’t been fully implemented. However, cross-functional coordination, monitoring and reporting of risk management practices can help companies assess the state of their cyber program.
It’s critical that the effectiveness of outlined practices be tested and verified to uphold cyber resilience posture. These standards can not only drive a collective ability to quickly respond to cyber risks and threats, but also help programs stay current and keep investors informed.
Cyber incident reporting
When it comes to cyber resilience, the majority of filers have focused and prioritized information around their recovery plan and execution tactics for incident response and recovery. This can include details on who oversees the incident response program.
Disclosure patterns we’re seeing:
- Transparency on capabilities for investigating, containing and mitigating cyber events.
- Collaboration with external partners to enhance cybersecurity measures.
- Existence of response and recovery plans and playbooks.
- Steps for conducting tests and recovery approaches.
What it all means
It’s not only important to design, create and assess incident response and recovery playbooks, but to test them to truly gauge effectiveness.
Filers are confirming that they’re not only testing but also evaluating their methods for tracking and reporting incidents — priorities we identified as baseline actions for reducing the impact of cybersecurity disruption and maintaining resilience.
With an evolving threat landscape where threats and threat actor tactics constantly change, response and recovery plans need to evolve at the same pace. Regular testing through tabletop exercises and updating to account for threat identification, containment and remediation steps contribute to risk mitigation.
Cyber governance
Board oversight of cyber risk management remains critical. The disclosures are consistent with observed trends in practice of the board or a designated committee taking an active role in overseeing the company’s management of cyber risks.
Disclosure patterns we’re seeing:
- Full transparency of board or delegated committee oversight of cyber risks and programs.
- The audit committee is the committee most frequently identified as responsible for oversight of cyber risks and programs.
- Most filers revealed that the CISO (or relevant executive) provides periodic updates to the board, with 33% noting the specific cadence (e.g., monthly, quarterly, at least annually).
- Only 8% of filers specifically noted that board members received upskilling through briefings or training conducted by internal and external experts as part of continuous education.
What it all means
The final SEC rule requires a description of the board’s oversight of cybersecurity risks in the 10-K, so seeing filers describe how the board or committee is involved isn’t surprising. However, the level of detail in certain disclosures did stand out, particularly how the board is educated and keeps up with cyber risks and trends.
As outlined in the PwC framework, a robust board reporting and oversight structure plays an important role in effective cyber risk management programs. Given the dynamic threat landscape, boards should continue to request updated insights and information from company management and outside parties.
Although disclosing board expertise details isn’t a specific requirement, board-level upskilling and awareness remain crucial parts of effective cyber risk governance, and insights into those activities are beneficial to investors.
Recommendations for future filers
The initial sample revealed reminders for future filers that they can apply (or confirm) depending on where they are in the filing cycle. Companies filing later ultimately disclosed more details about their cybersecurity programs, perhaps indicating a benefit from observing the types of responses in the disclosures from earlier filers and the chance to align closely with SEC elements.
It’s important for companies that haven’t filed yet to keep in mind that this is a reference point of disclosures so far. A more complete view of disclosures is still emerging after a full reporting cycle and potentially further SEC guidance. It’s also important to remember that this is not a stagnant disclosure. As companies continue to modify their cyber risk management and governance practices, they should update their disclosures to reflect significant changes.
Establish a reporting baseline
As a general way to determine disclosure standards, especially accounting for industry and potentially sector similarities, there are several examples from initial filers on what to potentially avoid:
- Names of technology or cybersecurity vendors you’re working with
- Selective disclosure of very specific security controls, tools, methods (e.g., firewalls, phishing, SSL) as opposed to disclosing systemic measures to address risk
- Miscontextualized or misconstrued descriptions of foundational cybersecurity concepts that could lead to reviewer confusion over those concepts or suggest an immature security posture
Deliver complete and accurate program disclosures
As part of your disclosure controls and procedures, have processes in place to confirm the accuracy and completeness of disclosures, and to confirm that the disclosures do not include any inconsistencies due to:
- False or misleading information
- Intentional omission of information
- Cherry-picked, out-of-context information or bias
- Manipulation of statistics
Keep disclosures and internal practices consistent
It’s also important not to overrepresent current cyber risk resiliency and capabilities. In speeches and public statements, senior SEC officials have expressed concern over companies whose disclosures regarding risk management are inconsistent with messaging inside the organization.
Disclosures regarding cyber risk management and governance practices should be objectively verifiable, such that if the disclosures are subsequently challenged, a reasonable third party should arrive at the same conclusions.
Make sure you’re asking the right questions:
Bottom line
Earlier filers laid the groundwork for disclosures that registrants can more confidently benchmark with their peers. However, this is a consistent priority. All filers (current and future) should continue to reflect on the robustness of not only their disclosures but also their programs to determine any gaps as well as where enhanced transparency may benefit their stakeholders.
This cross-industry analysis of companies of different sizes is an ongoing effort and the first in a series of additional perspectives to come from PwC on 10-K cyber disclosures.
Research methods and objectives
This is an early stage proof of concept of over 200 filers that will scale up with additional registrant filings. This analysis was initially conducted through automated crawling and ingestion of filings and the use of a custom-developed prompts with PwC’s in-house generative AI model implementation.
These methods enabled us to efficiently parse filings against 100+ relevant data points based on PwC's SEC cyber disclosure readiness methodology — data points that are commonly sourced when supporting clients in their SEC cyber disclosure readiness efforts.
{{filterContent.facetedTitle}}
{{contentList.loadingText}}
{{contentList.loadingText}}
Follow us
