We use generative AI to turn the first batch of 10-K filings describing cybersecurity into a model that can guide others in creating their own disclosure.

The SEC’s new rules on the disclosure of cybersecurity matters were finalized on July 26, 2023, and in effect since December 2023. Directors & Boards recently published a review of filings disclosing cyber incidents, required since December 18, 2023, to be reported in a Current Report on Form 8-K. This companion post draws on the vastly larger number of filings of Annual Reports on Form 10-K disclosing cybersecurity management, strategy and governance, that is now required. 

In a novel exercise, we enlisted generative AI trained on a large sampling of such Annual Reports to produce a template of the disclosures being made under the new regulations. While it is no substitute for a context-based tailored disclosure exercise, it is likely to be illuminating to those responsible for drafting and approving this disclosure. We first set forth the text of the rule before presenting the template.  Read more >>