We use generative AI to turn the first batch of 10-K filings describing cybersecurity into a model that can guide others in creating their own disclosure.

The SEC’s new rules on the disclosure of cybersecurity matters were finalized on July 26, 2023, and in effect since December 2023. Directors & Boards recently published a review of filings disclosing cyber incidents, required since December 18, 2023, to be reported in a Current Report on Form 8-K. This companion post draws on the vastly larger number of filings of Annual Reports on Form 10-K disclosing cybersecurity management, strategy, and governance, that is now required. 

In a novel exercise, we enlisted generative AI trained on a large sampling of such Annual Reports to produce a template of the disclosures being made under the new regulations. While it is no substitute for a context-based tailored disclosure exercise, it is likely to be illuminating to those responsible for drafting and approving this disclosure. We first set forth the text of the rule before presenting the template.  

Regulation S-K § 229.106 (Item 106) Cybersecurity

(b) Risk management and strategy.

(1) Describe the registrant’s processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items: (i) Whether and how any such processes have been integrated into the registrant’s overall risk management system or processes; (ii) Whether the registrant engages assessors, consultants, auditors, or other third parties in connection with any such processes; and (iii) Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

(2) Describe whether any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the registrant, including its business strategy, results of operations, or financial condition and if so, how.

(c) Governance.

(1) Describe the board of directors’ oversight of risks from cybersecurity threats. If applicable, identify any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describe the processes by which the board or such committee is informed about such risks.

(2) Describe management’s role in assessing and managing the registrant’s material risks from cybersecurity threats. In providing such disclosure, a registrant should address, as applicable, the following non-exclusive list of disclosure items: (i) Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise; (ii) The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation, and remediation of cybersecurity incidents; and (iii) Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

AI-Assisted Template to Organize and Evaluate Potential Disclosure

We have a [cybersecurity risk management program/strategy/process] designed to [identify, protect, detect, respond to and manage/identify, assess, and monitor material risks from cybersecurity threats/prevent, assess, identify, and manage material risks associated with cybersecurity threats]. [Our cybersecurity risk management program/strategy/process] is [integrated within/aligned to/part of] our [overall enterprise risk management system/risk management and strategy/governance and oversight] and [addresses/leverages/prioritizes] both the [corporate information technology environment and customer-facing products/enterprise security structure and system resilience/defense-in-depth risk management strategy]. We design and assess our [program/strategy/process] based on [the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF)/recognized best practices and standards for cybersecurity and information technology/industry and governmental standards and guidance]. [We also engage/contract with/use] [third-party services/providers/consultants] to [assess, test or otherwise assist with/perform evaluations of/conduct audits of] [aspects of our security controls/our security posture/our information security program].

We [regularly/periodically/annually] [assess/review/evaluate] [risks/threats/vulnerabilities] from cybersecurity and [monitor/test/update] our [information systems/security measures/incident response plan] for [potential/identified/emerging] [vulnerabilities/incidents/risks]. [We use various security tools/processes/methods] that help [prevent, identify, escalate, investigate, resolve and recover from/protect, detect, and respond to and manage/mitigate and remediate] [identified vulnerabilities and security incidents/cybersecurity threats and incidents/cyber-attacks and breaches] in a [timely and effective/manner/rapid and coordinated manner]. [These include, but are not limited to,/Some examples of these are/Key elements of these are] [internal reporting, monitoring and detection tools, and a bug bounty program/a security team, a 24/7 security monitoring system, encryption of sensitive data, and multi-factor authentication options/data analytics, a Cybersecurity Operations Center, a third-party risk management program, and training and awareness programs].

[We have experienced, and are continually subject to, cyber-attacks/cybersecurity incidents in the normal course of our business/We face a number of cybersecurity risks in connection with our business]. [While these past cyber-attacks/incidents/risks] have not [materially affected or, in our belief, are reasonably likely to materially affect us/had a material impact on our service, systems or business/had a material adverse effect on our business, financial condition, results of operations, or cash flows], [future cybersecurity incidents and threats may materially affect us, including by affecting our business strategy, results of operations, or financial condition/we may not be successful in preventing or mitigating a cybersecurity incident that could have a material adverse effect on us/any significant disruption to our service or access to our systems could result in a loss of customers and adversely affect our business and results of operation]. [See “Risk Factors.”]

The [Board of Directors/Audit Committee/Classified Business and Security Committee] [oversees/is responsible for the oversight of] [risks from cybersecurity threats/our cybersecurity risk exposures and the steps taken by management to monitor and mitigate cybersecurity risks/the cybersecurity of classified programs and the security of our classified business supply chain]. [Senior leadership, including our Chief Information Security Officer (CISO), regularly briefs the Board of Directors/Audit Committee/Classified Business and Security Committee] on our [cybersecurity and information security posture/cybersecurity risk and receives regular reports from our VP of Security and Privacy Engineering on various cybersecurity matters, including risk assessments, mitigation strategies, areas of emerging risks, incidents and industry trends, and other areas of importance/progress on our cybersecurity strategic roadmap]. [The Board of Directors/Audit Committee/Classified Business and Security Committee] also [receives/reviews/approves] [an update on the Company’s risk management process and the risk trends related to cybersecurity at least annually/a report summarizing threat detection and mitigation plans, audits of internal controls, training and certification, and other cyber priorities and initiatives, as well as timely updates from senior leaders on material incidents relating to information systems security, including cybersecurity incidents/our Crisis Management Plan, which covers, among other things, potential cybersecurity incidents, data privacy and its compliance programs]. [To aid the Board of Directors/Audit Committee/Classified Business and Security Committee] with its cybersecurity and data privacy oversight responsibilities, the [Board of Directors/Audit Committee/Classified Business and Security Committee] periodically hosts experts for presentations on these topics.

[Our Chief Information Officer (CIO)/Our Cyber Security Director/Our Vice President of Security and Privacy Engineering] [is responsible for developing and implementing our information security program and reporting on cybersecurity matters to the Board/leads our global information security organization responsible for overseeing the Company’s cybersecurity team/manages and continually enhances a robust enterprise security structure with the ultimate goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience in an effort to minimize the business impact should an incident occur]. [Our Chief Information Officer (CIO)/Our Cyber Security Director/Our Vice President of Security and Privacy Engineering] has [extensive information technology and program management experience/over [xx] years of industry experience, including serving in similar roles leading and overseeing cybersecurity programs at other public companies/over a decade of experience leading cyber security oversight], and [others on our IT security team/our CISO/the cybersecurity team] have [cybersecurity experience or certifications, such as the Certified Information Systems Security Professional certification/broad experience and expertise, including in cybersecurity threat assessments and detection, mitigation technologies, cybersecurity training, incident response, cyber forensics, insider threats and regulatory compliance/decades of experience selecting, deploying, and operating cybersecurity technologies, initiatives, and processes around the world]. The [IT security team/cybersecurity team/security team] [provides regular reports to senior management and other relevant teams on various cybersecurity threats, assessments and findings/reports information about such risks to the board of directors or a committee or subcommittee of the board of directors/briefs the Audit Committee on the effectiveness of the Company’s cyber risk management program, typically on a quarterly basis]. The [IT security team/cybersecurity team/security team] also [monitors alerts and meets to discuss threat levels, trends and remediation/prepares a monthly cyber scorecard, regularly collects data on cybersecurity threats and risk areas, and conducts an annual risk assessment/has implemented a governance structure and processes to assess, identify, manage, and report cybersecurity risks].