SEC Filings Reveal Corporate Cyber Risks

An analysis of new mandatory SEC filings reveals how top companies are reporting on their cybersecurity risk management, strategy, and governance.

In 2023, the SEC began requiring public companies to include a dedicated section on cybersecurity in their annual 10-K reports. These disclosures must detail the company's approach to risk management, its overall security strategy, and its governance structure. The first wave of these filings from top S&P companies is now public, providing an unprecedented look into how major corporations formally communicate their security posture to investors and regulators.

These new disclosures are significant for founders, CTOs, and security leaders as they establish a public benchmark for cybersecurity accountability. By analyzing these reports, companies can gain valuable insights into how their peers articulate security programs, manage risk, and integrate security into broader business objectives. The filings serve as a practical guide for assessing and improving a company's own security reporting and overall defensive posture, highlighting the growing expectation for cybersecurity to be treated as a core business function.

As more companies submit these filings, a clearer picture of industry-wide trends, standards, and best practices will emerge. This will likely influence future regulations, investor expectations, and the legal definition of 'reasonable' security. Businesses should anticipate increased scrutiny of their disclosed strategies and their ability to execute on them, particularly in the aftermath of any future security incidents.