Last summer, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring annual disclosure by public companies regarding cybersecurity risk management, strategy, and governance, and current disclosure about material cybersecurity incidents. Companies must comply with the annual disclosure requirements beginning with annual reports for fiscal years ending on or after December 15, 2023. Therefore, calendar year-end companies are subject to and have begun filing the new disclosures.

As a reminder, the final rules require domestic public companies to include the annual cybersecurity disclosures in new Item 1C of Part I of their annual reports on Form 10-K, and require foreign private issuers to include these disclosures in new Item 16K of annual reports on Form 20-F. For a detailed discussion of these new requirements, please see our Client Alert.

With year-end reporting for calendar-year companies in full swing, we wanted to check in on the new annual cybersecurity disclosures. We reviewed the cybersecurity disclosures in new Part I, Item 1C of Forms 10-K for 30 public companies in the Lonergan Silicon Valley 150 (SV150).^[1] The following are takeaways from the more detailed discussions set forth in this post.

• Board oversight. More than three-quarters of the companies that we reviewed disclose that the audit committee plays a key role in cybersecurity risk oversight. Two of the companies that we reviewed disclose that the nominating and governance committee has primary oversight of cybersecurity risks.     
• Management role. Approximately one-third of the companies that we reviewed disclose the existence of a management-level cybersecurity-specific committee. All of the companies that we reviewed disclose specific management positions responsible for managing cybersecurity risks and include the relevant expertise for at least one management position.
• Cybersecurity framework. Two-thirds of the companies that we reviewed refer to at least one cybersecurity framework, with the most common reference being to the NIST Cybersecurity Framework.
• Length of disclosure. The average length of disclosure, by word count, is approximately 962 words, which, generally, translates to just under two pages of disclosure. 

Board Oversight

The annual cybersecurity disclosure rules require companies to describe the board of directors’ oversight of risks from cybersecurity threats including, if applicable, identifying any board committee or subcommittee responsible for the oversight of risks from cybersecurity threats and describing the processes by which the board or the committee is informed about such risks.^[2] We reviewed the Form 10-K disclosures made by our sample set of SV150 companies to see whether the board retained primary oversight, or whether it delegated primary oversight to a board committee (and, if delegated to a board committee, which committee), of cybersecurity risks.

Of the 30 companies reviewed, 1) 19 companies disclose that the board has delegated primary oversight of cybersecurity risks to the audit committee, with an additional four companies disclosing that the board and audit committee share oversight of cybersecurity risks, 2) two companies disclose that the board has delegated primary oversight of cybersecurity risks to the nominating and governance committee, and 3) the remaining five companies disclose that the full board retains primary oversight of cybersecurity risks. None of the companies that we reviewed disclose the existence of a cybersecurity-specific board committee.

Management Role

The annual cybersecurity disclosure rules also require companies to describe management’s role in assessing and managing material risks from cybersecurity threats. Among other things, companies should address, as applicable, whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of such persons or members in such detail as necessary to fully describe the nature of the expertise.^[3] We reviewed the Form 10-K disclosures made by our sample set of SV150 companies to see whether there was a management-level cybersecurity-specific committee involved in the oversight of cybersecurity risks (i.e., other than an enterprise risk management committee that oversees a variety of other risks). Approximately one-third of the companies that we reviewed disclose the existence of a management-level, cybersecurity-specific committee.

In addition, we reviewed the relevant disclosures to see whether companies were disclosing specific management positions that were responsible for cybersecurity risks. The following data points are limited to only those management positions for which specific expertise was provided.^[4] The average number of management positions disclosed was approximately 1.7, with a range from one to four positions. Notably, just over half of the companies that we reviewed disclose one management position, with the Chief Information Security Officer, or CISO, being the most oft-cited management position (by 22 companies), followed by the Chief Information Officer, or CIO, cited by seven companies. Other than CISO and CIO positions, other management positions cited by companies include, as examples, chief legal officer, chief security officer, chief technology officer, or other vice president or chief-level positions within the company.  

Cybersecurity Framework

While the annual cybersecurity disclosures do not require reference to cybersecurity frameworks, we reviewed the disclosures of our sample set of SV150 companies to see whether companies were referencing specific cybersecurity frameworks and, if so, which frameworks were referenced. The following data points reflect references to cybersecurity frameworks, and not necessarily disclosure that the company adheres to, or is certified to, a particular framework (e.g., in some cases, the disclosure is that the company’s cybersecurity program or approach to managing cybersecurity risks is based upon, or utilizes aspects of, or is informed by, a particular framework). Two-thirds of the companies reference at least one cybersecurity framework, with the NIST Cybersecurity Framework cited by 16 companies and the International Organization for Standardization (ISO) (including, for example ISO 27001 and 27002) cited by 11 companies. Other frameworks that the companies reference include, among others, the Center for Internet Security, the Payment Card Industry Data Security Standard, HIPAA, and SOC 1 and SOC 2.

Length of Disclosure

Based on the sample set that we reviewed, the average word count for the new cybersecurity disclosure set forth in Form 10-K filings was approximately 962 words, with the shortest disclosure at 428 words and the longest disclosure at 1,421 words. Assuming approximately 500 words per page (single-spaced, 12-point font), the average word count would equate to just under two pages of text.

^[1] The Lonergan Silicon Valley 150 ranks the top 150 public companies with headquarters in Silicon Valley by annual sales. For more information on the methodology used to prepare the Lonergan Silicon Valley 150, please visit https://lonerganpartners.com/assets/pdfsdownloads/2023-LSV-150-Company-Ranking.pdf.

The 30 companies reviewed include 10 of the SV150 companies ranked 1 to 50, 10 of the SV150 companies ranked 51 to 100, and 10 of the SV150 companies ranked 101 to 150.

^[2] See Item 106(c)(1) of Regulation S-K.

^[3] See Item 106(c)(2)(i) of Regulation S-K.

^[4] Approximately two-thirds of the companies disclose other management-level positions including, for example, persons involved in enterprise risk management matters or persons to whom the cybersecurity-specific roles report (e.g., CEO, CFO, General Counsel).