Skip to main content

What does a company disclose about cybersecurity in Item 1C of the 10-K?

Cybersecurity is now a material business risk for nearly every public company. A data breach can result in regulatory fines, customer lawsuits, operational disruption, or reputational damage. For some companies, a cyber attack is an existential threat. Yet for decades, the SEC had no formal requirement for companies to disclose cybersecurity risks, incidents, or governance in their 10-K filings.

That changed in July 2023, when the SEC adopted new cybersecurity disclosure rules and added Item 1C to the 10-K. Item 1C requires public companies to disclose material cybersecurity risks, incidents they have experienced, and how the company's board and management oversee cybersecurity. The rule also requires companies to disclose material breaches or incidents within four business days on Form 8-K.

Item 1C is the first standardized cybersecurity reporting framework in US securities law. For investors and auditors, it creates a new data source for assessing operational risk. For companies, it creates new liability: boards must now document their cybersecurity oversight, and companies must disclose incidents they might have previously kept quiet.

This article explains what Item 1C is, what companies must disclose, how to read cybersecurity risk disclosures for signal about operational governance, and what the new rules reveal about the evolution of investor information rights.

Quick definition

Item 1C: Cybersecurity disclosures is the 10-K section requiring companies to describe material cybersecurity risks, any material cybersecurity incidents or breaches they experienced in the past fiscal year, and how the board of directors and management oversee cybersecurity strategy and governance. Material is defined as a breach that is reasonably likely to have material impact on the business, or a cybersecurity incident that is material to investors' assessment of the company's operations or governance.

Key takeaways

  1. This is new regulation (2023). Item 1C became effective for 10-K filings for fiscal years ending after December 15, 2023. Most companies disclosed Item 1C for the first time in early 2024. The rule is still young, and disclosure practices are still evolving.

  2. Materiality is the threshold. Companies do not have to disclose every security incident. Only material incidents require disclosure. Materiality is assessed as reasonably likely to result in material impact to the business, operations, or financial condition.

  3. Boards must have cybersecurity oversight. Item 1C requires companies to describe how the board (or a board committee) oversees cybersecurity. This creates pressure on companies to establish or document formal board-level cyber oversight, which most large companies now have.

  4. Incident disclosure is both mandatory and visible. If a company experiences a material breach, it must disclose on Form 8-K within four business days and in the next 10-K. There is no longer a way to hide material cyber incidents from investors.

  5. Disclosure practices vary widely. Because the rule is new, some companies disclose extensive detail while others minimize. Reading Item 1C across companies reveals very different governance maturity levels.

  6. Cyber insurance and incident response plans are relevant. Companies often disclose whether they maintain cyber insurance, have incident response plans, and conduct penetration testing or vulnerability assessments. These details signal governance maturity.

The origin of Item 1C and the SEC's cybersecurity rules

Cybersecurity regulation by the SEC did not emerge until 2023. For decades, cyber risk was considered operational but not material to investor disclosure. Companies were left to decide independently whether to disclose breaches or security incidents to investors. Some disclosed; many did not.

The catalyst for change came from several directions:

  • Increasing sophistication of cyber attacks. Large-scale breaches at major companies (Target, Home Depot, Equifax, SolarWinds, Okta) showed that no company was immune. As attacks became more frequent and damaging, investors demanded better disclosure.

  • Ransomware and operational disruption. Unlike early data breaches that were about stolen data, ransomware attacks began to disrupt operations. Investors realized cybersecurity was not just a privacy issue; it was a business continuity issue.

  • ESG and governance questions. Institutional investors began asking whether companies had formal cybersecurity governance. Was cybersecurity on the board agenda? Who was accountable?

  • European regulation. The EU's NIS Directive and other regulatory frameworks required cyber disclosures. US investors and regulators were losing ground in understanding cyber risk compared to global peers.

In March 2022, the SEC proposed Item 1C. The proposal drew comments from investors, companies, and security experts. The SEC heard that investors needed better information but also that companies were concerned about disclosing information that could be exploited by attackers. The SEC issued final rules in July 2023 with some accommodations: companies could sometimes describe cybersecurity threats in general terms without giving attackers a roadmap.

The rule created two disclosure obligations:

  1. Form 8-K disclosure: Material cybersecurity incidents must be disclosed within four business days of discovery.
  2. 10-K Item 1C disclosure: Companies must describe material cybersecurity risks, incidents from the past fiscal year, and their governance.

What companies must disclose in Item 1C

Material cybersecurity risks. Companies describe the types of cyber threats that could materially affect their business. Examples:

  • Ransomware attacks that could disrupt operations or force payment of extortion money.
  • Data breaches affecting customer information, intellectual property, or trade secrets.
  • Supply-chain cyber attacks affecting critical vendors or infrastructure.
  • Regulatory compliance impacts if customer data were compromised.
  • Competitive or national security risks if proprietary information were stolen.

Companies typically describe risks in categories: external threat actors, insider threats, system vulnerabilities, third-party vendor risks, and regulatory or geopolitical risk.

Material cybersecurity incidents. Any material cyber incident that occurred during the fiscal year must be disclosed. Material means the incident is reasonably likely to have a material impact on the company's business, operations, or financial condition. Examples:

  • A breach compromising customer data that triggers regulatory notification and remediation costs.
  • A ransomware attack that disrupts operations or requires payment or remediation.
  • Theft of intellectual property that could impact competitive position.
  • Damage to critical infrastructure (network, cloud, supply chain) that affected operations.

Companies disclose:

  • The nature of the incident,
  • When it was discovered,
  • What systems or data were affected,
  • The impact (operational downtime, financial loss, notification costs, remediation costs),
  • Whether law enforcement or regulators were notified, and
  • Remediation steps taken.

Board and management oversight. Companies must describe:

  • Board-level oversight: Does the board have a cyber committee? How often does the board receive updates on cybersecurity? Who is the board member responsible for cyber oversight?

  • Management responsibilities: Who on the management team is responsible for cybersecurity? What is the role of the Chief Information Security Officer (CISO) or equivalent?

  • Policies and processes: What policies does the company have for incident response? Does the company conduct penetration testing or vulnerability assessments? What is the process for identifying and prioritizing cyber risks?

  • Third-party assessments: Does the company engage external security auditors? Does it maintain cyber insurance?

  • Training and awareness: Does the company conduct employee training on cyber hygiene and phishing prevention?

A mermaid diagram: the cybersecurity disclosure decision tree

Real-world examples of Item 1C disclosures

Example 1: A healthcare company with patient data exposure. A health-tech company disclosed in Item 1C that it experienced a breach affecting a cloud database containing patient health information. The company discovered the breach within days, took the database offline, notified affected patients and regulators, and incurred $2 million in breach notification and remediation costs. In Item 1C, the company disclosed:

  • The date of discovery and nature of the breach (unauthorized access to patient records),
  • The population affected (2 million patients),
  • The estimated financial impact ($2 million in costs, plus potential future claims),
  • Regulatory notifications made to state attorneys general and HHS,
  • Remediation steps (enhanced encryption, additional monitoring, third-party audit of security infrastructure).

The company also disclosed that its board's Audit Committee oversees cybersecurity, that it engages an external cyber auditor annually, and that it maintains cyber insurance with $10 million coverage.

Example 2: A manufacturing company with third-party vendor risk. A manufacturer disclosed in Item 1C that a ransomware attack affecting a critical supply-chain vendor disrupted the company's production for four days. The vendor was hit with ransomware; the vendor's network was encrypted. The manufacturer had to shut down operations while the vendor recovered. The company disclosed:

  • The date and nature of the incident (third-party ransomware),
  • The operational impact (production downtime, loss of 4 days of output),
  • The estimated financial impact (lost revenue of $15 million),
  • Remediation steps (working with the vendor on recovery, diversifying vendor relationships for critical inputs, implementing more rigorous vendor security assessments).

The company noted that while the incident affected the manufacturer, it was not directly targeted. The disclosure highlighted the company's supply-chain cyber risk, which investors had previously overlooked.

Example 3: A software company with "no material incidents." A large software company disclosed in Item 1C that it experienced no material cybersecurity incidents during the fiscal year. But it disclosed extensive cyber governance: a Chief Security Officer reporting to the CEO, a board Cyber Risk Committee with quarterly updates, annual penetration testing by external security firms, cyber training for all employees, and $25 million in cyber insurance. The company described the types of threats it faces (nation-state actors targeting its technology, customer data, and employees) and the controls it has in place to mitigate them.

The "no material incidents" disclosure, paired with strong governance disclosure, signals confidence in the company's cyber maturity to investors.

How Item 1C differs across industries

Financial services and payment processors. Banks, insurance companies, and payment networks face high-intensity cyber targeting. Item 1C disclosures in the financial sector tend to be detailed on governance and controls but more vague on specific incidents (to avoid giving attackers intelligence). Cyber insurance is ubiquitous and disclosed.

Healthcare. Healthcare companies face both criminal ransomware attacks (which disrupt operations) and data breaches (which expose patient information and trigger HIPAA notification). Item 1C in healthcare tends to mention patient data breach risk explicitly and discuss HIPAA compliance.

Technology and software. Tech companies face sophisticated actors (including nation-states) targeting their source code, intellectual property, and employee data. Item 1C disclosures highlight intellectual property protection, secure development practices, and insider threat detection.

Retail. Retail companies face payment-card data breach risk (PCI compliance) and customer personal information exposure. Item 1C disclosures highlight point-of-sale security and customer data protection.

Energy and utilities. Critical infrastructure companies face operational technology (OT) attack risk that could affect power grids or distribution systems. Item 1C disclosures emphasize industrial control system security and resilience.

Real estate and consumer discretionary. Smaller companies in these sectors often disclose less detailed cyber governance, reflecting lower cyber sophistication or lower breach risk. Item 1C disclosures might be minimal: "We maintain standard cybersecurity practices and have not experienced material incidents."

The materiality question: what must be disclosed?

Materiality is the hardest question in Item 1C interpretation. The SEC rule says companies must disclose material cybersecurity risks and incidents that are "reasonably likely" to have material impact on the business, operations, or financial condition. But what threshold triggers materiality?

The SEC provides guidance:

  • Financial impact matters. If an incident results in direct financial loss, remediation costs, or fines that are material to the company's annual results, it is material and must be disclosed.

  • Operational impact matters. If an incident disrupts operations, affects ability to serve customers, or impacts the company's ability to meet contractual obligations, it is material.

  • Regulatory impact matters. If an incident triggers regulatory fines, license revocation, or compliance issues, it is material.

  • Reputational impact matters. If an incident damages customer trust, affects brand value, or results in loss of customers, that is material.

In practice, companies vary widely. A $100,000 breach at a Fortune 500 company might not be material to the company's annual earnings (which might be $10 billion). The same $100,000 breach at a $100 million revenue company might be material.

The SEC has been aggressive about enforcing Item 1C compliance. In 2024, the SEC settled with companies it believed had failed to disclose material incidents on Form 8-K or understated incidents in Item 1C disclosures. The SEC's position: material is not just about dollars; it is about whether a reasonable investor would want to know about the incident before making an investment decision.

Reading between the lines in Item 1C

Detailed Item 1C disclosures signal several things:

Strong governance maturity. A company that discloses detailed cyber governance — named CISO, board committee with specific responsibilities, regular penetration testing, incident response plans — is signaling confidence in its cyber program. The company is not hiding; it is documenting and managing cyber risk systematically.

Transparency after an incident. A company that experienced a material incident and disclosed it promptly (within four business days on Form 8-K) and included it in Item 1C is signaling honest governance. The company is not trying to minimize or hide the incident.

Risk acknowledgment without incident. A company that describes significant cyber risks but discloses no material incidents in the fiscal year is asking investors to trust that the company's controls are effective. Read this together with the company's governance disclosure: do the controls described match the risks described?

Vague or minimal disclosure. A company that minimizes cyber disclosure, provides few details on governance or risks, or discloses no cyber activity at all might be signaling:

  • Lower cyber risk (small company with limited digital assets),
  • Lower maturity in cyber governance (company has not yet formalized cyber oversight),
  • Intentional minimization (company is trying to avoid regulatory or investor scrutiny), or
  • Conservative legal strategy (company's counsel is advising minimal disclosure to avoid liability).

The vague disclosure alone is not disqualifying, but it is a red flag for further investigation. Ask: Why does this company disclose so little about cyber? Is it because cyber is truly immaterial, or because the company has not yet developed governance around it?

The auditor's view of Item 1C

The auditor audits the 10-K and must assess whether Item 1C disclosures are accurate and complete. If the auditor is aware of a cybersecurity incident that the company failed to disclose in Item 1C, the auditor would flag this as a potential material misstatement of the 10-K.

The auditor typically:

  • Reviews the company's cyber incident log and breach register,
  • Asks management about any material incidents in the fiscal year,
  • Reads any Form 8-K disclosures filed during the year,
  • Reviews board minutes for discussion of cyber incidents,
  • Assesses whether management's assessment of materiality is reasonable.

If the auditor disagrees with management's materiality assessment on a cyber incident, the auditor might:

  • Insist the company disclose the incident, or
  • Resign as auditor if management refuses, or
  • Qualify the audit opinion (rare for Item 1C specifically, but possible).

In practice, auditors and management engage collaboratively on Item 1C. The auditor helps management understand what constitutes a material incident and what disclosure is required.

Form 8-K cyber disclosure and quarterly updates

Item 1C is part of the 10-K, but there is a parallel requirement: companies must file Form 8-K within four business days of discovering a material cybersecurity incident. The 8-K disclosure follows the same rules: material incidents must be disclosed, though companies can describe incidents in general terms if disclosure details would give attackers useful information.

Form 8-K cyber disclosures are filed on Item 1.05 (Other Events) or Item 8.01 (Other Events). They are material filings that can move stock price. After an 8-K cyber disclosure, investors and analysts immediately begin asking questions: How bad is the breach? Will there be financial impact? How long until remediation?

If a company files an 8-K disclosing a cyber incident in the fiscal year, you will see that incident also disclosed in Item 1C of the 10-K. Item 1C will include details: what was the ultimate financial impact? Was remediation completed? Did regulators get involved?

Common patterns in Item 1C disclosures

"We have not experienced material incidents." Many companies, especially those with strong governance, disclose no material incidents in the fiscal year. This is not unusual. It reflects either strong controls or a year without attacks, or both.

"We experienced one material incident [brief description] and have implemented additional controls." This is the standard incident disclosure: the company tells investors what happened, the impact, and what the company did to prevent recurrence.

"We face significant cyber risks from nation-state actors and competitors." Tech companies and defense contractors often disclose this. It acknowledges that the company is a high-value target.

"We maintain cyber insurance of $X million." This is common in companies with significant breach risk (healthcare, financial services, retail). The disclosure signals how much financial protection the company has.

"Our board receives quarterly updates from our Chief Information Security Officer." This is standard governance language that signals formal board oversight.

"We conduct annual penetration testing and maintain relationships with external security firms." This signals active vulnerability management.

Common mistakes when reading Item 1C

Mistake 1: Confusing "no material incidents" with "no incidents." A company that discloses no material incidents might have experienced small breaches, phishing attempts, or vulnerabilities. The company is saying none were large enough to be material. That is not unusual and not automatically a red flag.

Mistake 2: Assuming vague disclosure means the company is hiding something. Sometimes vague disclosure reflects legal strategy: the company does not want to give attackers a detailed roadmap of its vulnerabilities. This is defensible. But it can also reflect a company trying to minimize disclosure. Context matters.

Mistake 3: Overweighting a single cyber incident in valuation. A company experienced a ransomware attack that cost $10 million to remediate. That is material and must be disclosed. But for a $10 billion revenue company, $10 million is 0.1 percent of revenue. The incident is material for disclosure but might not be material to the investment thesis. Read Item 1C in context of the company's size and materiality threshold.

Mistake 4: Failing to cross-reference Item 1C with other disclosures. If a company discloses a cyber incident in Item 1C, check whether there is also a related reserve or loss accrual in the financial statements (Note to Item 8, Balance Sheet, or Risk Factors). The financial and narrative disclosures should align.

Mistake 5: Not reading the Form 8-K cyber disclosure if there was one during the year. Form 8-K is more timely than the 10-K. If a company filed an 8-K disclosing an incident in March, the full details will appear in the 10-K Item 1C filed in March of the next year. The 8-K is the first public notice; the 10-K is the full story.

Mistake 6: Treating Item 1C as the only cyber risk signal. Cyber risk also shows up in Item 1A (Risk Factors), which typically includes a paragraph on cybersecurity risks. Read both Item 1A and Item 1C together.

Frequently asked questions

Q: If a company experiences a cyber incident in January, when must it disclose it?

A: Within four business days on Form 8-K. If the incident is material, it is filed immediately. Then, when the company files its 10-K (usually in late February or early March for a December 31 fiscal year), Item 1C includes full details of the incident.

Q: Can a company say "we experienced an incident but cannot disclose details due to ongoing investigation"?

A: Yes, this is allowed if the incident is material but details cannot be disclosed without giving attackers useful information. The 8-K or Item 1C would say: "We experienced a material cybersecurity incident on [date]. Disclosure of specific technical details is limited to avoid revealing vulnerabilities that could be exploited." The company must disclose the date, nature, and estimated impact, but can be vague on technical details.

Q: If a company settles a cyber incident claim (like a class-action lawsuit over a breach), is that disclosed in Item 1C?

A: The settlement itself is usually a contingent liability or subsequent event (Item 1 of the 10-K or Note to the financial statements). Item 1C should reference the underlying incident that led to the settlement. If the settlement was material, the company should disclose it in Item 1C as part of describing the incident's impact.

Q: How does cyber insurance affect Item 1C disclosure?

A: Cyber insurance is disclosed in Item 1C as part of the company's risk mitigation strategy. The company might disclose: "We maintain cyber insurance with $X million in coverage for breach costs." The insurance does not eliminate the need for disclosure (the breach is still material), but it does limit the company's out-of-pocket impact. If a $20 million breach is fully covered by insurance, the company might note that in Item 1C.

Q: Can Item 1C disclosure be used against the company in a lawsuit?

A: Potentially. A cyber incident disclosed in Item 1C could be cited in shareholder lawsuits (if the company failed to disclose timely on 8-K) or in breach notification lawsuits (if customers claim the company was negligent). The disclosure is truthful and required, but it is not an escape from liability for negligence or breach of duty.

Q: If a company has "no material cybersecurity incidents," does that mean it is a bad cyber investment or a good one?

A: Neither, necessarily. No incidents means controls are working or the company has not yet been attacked. Strong governance disclosure (CISO, board oversight, penetration testing) suggests the controls are actually working. Weak governance disclosure with no incidents might just mean the company has not been tested yet. Context matters.

Q: Is Item 1C disclosure the same globally, or do international companies disclose differently?

A: US companies are required to follow the SEC's Item 1C rules for their US filings. International companies that cross-list in the US (and file 20-F instead of 10-K) have parallel cybersecurity disclosure requirements on the 20-F. The rules are substantively similar, though non-US jurisdictions may have different materiality thresholds or different incident notification timelines.

Form 8-K Item 1.05 cyber disclosure. The four-business-day incident disclosure required for material incidents.

Item 1A: Risk Factors. Where companies describe cybersecurity risks in the context of a broader risk narrative.

Item 9A: Internal controls and procedures. Where companies disclose material weaknesses or significant deficiencies in controls, which might include cyber controls.

Cyber insurance and risk transfer. The company's insurance coverage for breach costs, cyber extortion, and notification expenses.

Incident response planning and business continuity. The company's procedures for responding to cyber incidents and resuming operations.

Third-party risk management. Companies disclose their processes for assessing and managing vendor/supplier cyber risk.

Penetration testing and vulnerability assessment. External and internal assessments of the company's defenses against cyber attack.

Summary

Item 1C requires companies to disclose material cybersecurity risks, incidents, and governance in their 10-K. The rule, effective for fiscal years ending after December 15, 2023, created the first standardized framework for cyber risk disclosure in US securities law.

Item 1C disclosures are just beginning to mature. Some companies disclose extensive detail on governance and risk; others remain minimal. As an investor reading Item 1C, you should:

  1. Note the presence or absence of governance detail. A named CISO, board committee, and formal incident response plan signal cyber maturity. Vague or minimal disclosure might signal weak governance or intentional minimization.

  2. Read material incidents in full context. A material breach or ransomware attack is a real risk to the company. But evaluate it in context of the company's size, the financial impact, and remediation steps.

  3. Cross-reference with Form 8-K. If a material incident occurred in the fiscal year, it was filed on 8-K first (within four business days) and appears in Item 1C with additional detail.

  4. Assess whether disclosed controls match disclosed risks. If Item 1C describes significant cyber risks, does the governance disclosure suggest adequate controls to mitigate them?

  5. Compare Item 1C across competitors. Reading Item 1C at multiple companies in an industry reveals which are mature on cyber governance and which are lagging.

Item 1C is a new but crucial piece of the investor information set. It brings cyber risk — previously opaque to public investors — into the mandatory disclosure framework.

Next

In the next article, we examine Item 2 of the 10-K, which describes the company's properties and physical asset base.

→ Item 2: Properties