Annual cyber-risk governance disclosures and material-incident reports, tagged in Inline XBRL using the SEC's CYD taxonomy. No exemptions: every filer category is covered.
The SEC's 2023 rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure created two distinct disclosures, and both must now be tagged in Inline XBRL using the CYD taxonomy. Unlike pay-versus-performance, there are no exemptions: smaller reporting companies, emerging growth companies, and foreign private issuers are all covered.
Item 106 of Regulation S-K (10-K Part I, Item 1C; Form 20-F Item 16K) requires you to describe your processes for assessing, identifying and managing material cyber risks, whether you engage third parties, whether any threats or prior incidents have materially affected (or are reasonably likely to affect) the company, the board's oversight, and management's role and expertise. Tagging has been required since fiscal years ending on or after December 15, 2024, so it applies to every annual report filed now.
A material cybersecurity incident must be reported within four business days of the materiality determination (not the incident date), describing its nature, scope, and timing, and its material or reasonably likely impact, including on financial condition and results of operations. Tagging has been required since December 18, 2024, and applies to amendments (8-K/A) too. Voluntary disclosure of an immaterial incident goes under Item 8.01, which does not carry the CYD tagging mandate.
| You file… | CYD tags required |
|---|---|
| Form 10-K (every one) | Item 1C annual cybersecurity disclosure |
| Form 8-K, Item 1.05 (and 8-K/A) | Material cybersecurity incident disclosure |
| Form 20-F / Form 6-K (FPIs) | Item 16K annual disclosure / material incident reports |