← Back to all briefings

Cybersecurity · Credibility 94/100 · · 5 min read

Cybersecurity Governance Briefing — September 30, 2025

Zeph Tech reviews the SEC’s first full filing cycle under the 2023 cybersecurity disclosure rule, surfacing comment-letter themes and control evidence registrants need before FY2025 reporting.

Executive briefing: Public companies are closing their second Form 10-K cycle under the SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule (Release No. 33-11216). Comment letters posted through July 2025 show staff challenging vague incident materiality thresholds, board oversight narratives, and supply-chain discussions. Zeph Tech builds disclosure playbooks so CISOs can substantiate Item 1C statements before the FY2025 reporting rush.

Key industry signals

  • Comment-letter focus. EDGAR comment letters to large accelerated filers (e.g., CrowdStrike, Clorox) asked for quantitative impact ranges, recovery timelines, and clarification of board briefings for 2024 incidents.
  • Sample letter still driving reviews. The Division of Corporation Finance’s June 18, 2024 sample comment letter remains the blueprint staff cite when registrants omit materiality analysis or supplier dependencies.
  • Incident attestation. Enforcement staff reiterated at SEC Speaks 2025 that four-business-day Item 1.05 filings must describe remediation status and cross-reference any ransomware insurance recoveries.

Control alignment

  • SEC Regulation S-K Item 1C. Maintain evidence packets covering board reporting cadence, risk assessment outputs, and third-party assurance tied to security program statements.
  • NIST CSF 2.0 Govern and Recover. Map incident response metrics to the SEC’s disclosure expectations, ensuring tabletop exercises capture financial impact estimates and system availability timelines.

Detection and response priorities

  • Track Form 8-K Item 1.05 triggers centrally—material events should auto-generate disclosure drafts with forensic facts, business impact ranges, and mitigation status.
  • Review vendor questionnaires and SOC 2 reports for incidents that may require disclosure because of dependence on outsourced environments.

Enablement moves

  • Run cross-functional dry runs pairing legal, IR, and cyber teams to rehearse the four-day disclosure timeline using prior near-miss incidents.
  • Refresh board-level briefing templates so Item 1C discussions cite specific oversight sessions, escalation thresholds, and risk-owner accountability.

Sources

Zeph Tech builds disclosure readiness programs that tie incident telemetry, financial impact models, and governance evidence to SEC expectations—eliminating last-minute scrambles before Form 10-K filings.

  • SEC cybersecurity disclosure
  • Form 10-K
  • Incident response
  • Regulation S-K
Back to curated briefings