Summary:

Public companies are now required to disclose their cyber risks and their Board of Director (BOD) cybersecurity risk oversight in their Annual Reports (SEC 10-K)

These Cybersecurity disclosures incur fiduciary / due diligence obligations.

Should any of these efforts be deemed insufficient by regulators or private litigants, the organization could face significant consequences (e.g. litigation).

These stipulations must be fully implemented throughout the organization’s policies, plans, procedures, training, exercises, technologies, etc. A recent (2025) US NIST mandate now requires Cybersecurity documentation such as the CIRP to also be in alignment with these “strategic” (i.e. “material”) cyber risks.

Additionally, what you fail to disclose in your Annual Report may also have serious implications.

Detailed narrative:

In July of 2023, the SEC posted the following mandate:

“The new rules also add Regulation S-K Item 106, which will require registrants to describe their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents. Item 106 will also require registrants to describe the board of directors’ oversight of risks from cybersecurity threats and management’s role and expertise in assessing and managing material risks from cybersecurity threats. These disclosures will be required in a registrant’s annual report on Form 10-K.”

A more detailed narrative on this SEC requirement can be found at: SEC BOD Guidance for CISOs – McCarthy Cyber Readiness

These disclosures incur fiduciary obligations.  The following is an Annual Report (10-K) disclosure discussing this very concern:

“We publish statements to our customers and members that describe how we handle and protect personal information. If federal or state regulatory authorities or private litigants consider any portion of these statements to be inaccurate, incomplete, or not fully implemented, we may be subject to claims of deceptive practices or other violation of law, which could lead to significant liabilities and consequences, including, without limitation, costs of responding to investigations, defending against litigation, settling claims and complying with regulatory or court orders.”

For those of us in the US, this requirement is also finding its way into OTHER cyber security related mandates from the government.

NIST introduced some updates last April (2025) that established new standards for CIRPs.

A quick Google summary of the changes the 800-61 r3 revealed the following:

“[800-61] Revision 3 integrates incident response into broader cybersecurity risk management, emphasizing a strategic, ongoing, and business-aligned approach rather than a standalone technical lifecycle.”

I am asserting that “strategic” in the NIST/CIRP context aligns with the “material” in the SEC guidance from July of 2023.

More detailed information on these new CIRP requirements can be found at: Why the (US) NIST says your “Technical / Tactical” Cyber Incident Response Plan (CIRP) is now INSUFFICIENT….  – McCarthy Cyber Readiness

I can tell you after over a decade of either writing management level CIRPs, or conducting management level Tabletop exercises (TTX) for Dell Secureworks, all of which started with a review of the organization’s most recent 10-K cyber risk narrative, (or if they weren’t a public company, we would develop a risk narrative internally), you would be amazed at the following:

1. The number of organizations who lack a thorough cyber risk narrative. Whether it is in their 10-K, their ERM program, maybe GRC, or plain old tribal knowledge. Some of these gaps were “Business Extinction” risks. And this wasn’t me telling them, but rather the collective coming to their own conclusion. I averaged about 6-12 of these a year. The other side of the coin are organizations who had a minimal narrative, typically just PII breach and Ransomware, but then you show them the 10-K from a peer organization and the discrepancy is obvious. Organizations who underrepresent their cyber risks in their Annual Reports may also be at risk.
2. To the “not fully implemented” highlighted comment above; Very few (and I mean VERY FEW) organizations can show you how their specific risks have “trickled down” to the organization’s policies, plans or procedures. Furthermore, while IT/InfoSec typically struggles to master basic “blocking and tackling”, there lacks a clear linkage between the management team’s risk narrative and their actions.  This was most alarming for organizations with either unknown or undocumented “business extinction” risks. I’ve helped clients develop SIEM correlation logic that was specifically aligned with their “Material” / “Business Extinction” cyber risks.
3. The number of organizations with very old, technical/tactical/forensics based CIRPs. Per the guidance discussed above, your CIRP is one of the most “tangible” documents you have. Your CIRP will need to explicitly address each of the cyber risks and obligations that you have discussed in your Annual Report.
4. While this era is “raising the bar” for Board members relative to their Cybersecurity expertise and responsibilities, it is also putting new strains on CISO’s. This new era is going to require CISO’s to learn a whole new set of skills beyond the tactical/technical, up to and potentially including “coaching” their Board members.

Please feel free to reach out to me if you have any questions or need any assistance.