Controls & Evidence
SEC Cybersecurity Disclosure readiness evaluates your controls across multiple domains. For each domain, reviewers look for evidence that controls are designed properly and operating effectively. Below are the core control domains with minimum requirements and example evidence artifacts.
What reviewers look for: Reviewers don't just check that policies exist. They verify that controls are operating as described, that evidence is produced on schedule, and that gaps are tracked and remediated. The evidence examples below show what "operating effectiveness" looks like in practice.
Framework for determining whether a cybersecurity incident is material under SEC rules, including escalation triggers and documentation requirements.
Requirements
- Materiality analysis framework for cyber incidents
- Define 'material' in company context using quantitative and qualitative factors
- Incident escalation triggers tied to materiality thresholds
- Legal and financial impact assessment methodology
- Documentation trail for all materiality decisions
Evidence Examples
| Artifact | Owner | Frequency |
| Materiality framework document | General Counsel | Annually reviewed |
| Escalation matrix with defined triggers | CISO | Annually reviewed |
| Incident-to-materiality decision logs | Incident Response Lead | Per incident |
| Quantitative and qualitative materiality threshold documentation | CFO | Annually reviewed |
Timely filing of Form 8-K Item 1.05 within four business days of materiality determination for cybersecurity incidents.
Requirements
- File Form 8-K within 4 business days of materiality determination, not discovery
- Describe nature, scope, and timing of the incident
- Describe material impact or reasonably likely material impact
- Apply national security or public safety exception for specific technical details when applicable
- Amendment process for evolving incidents via Form 8-K/A
Evidence Examples
| Artifact | Owner | Frequency |
| 8-K filing templates with required disclosure fields | Corporate Secretary | Annually reviewed |
| Disclosure review and approval process documentation | General Counsel | Per incident |
| Legal review checklists for 8-K filings | Outside SEC Counsel | Per filing |
| 8-K/A amendment tracking log | Corporate Secretary | Per incident |
Annual disclosure of cybersecurity risk management processes, board oversight, and management expertise under Regulation S-K Item 106.
Requirements
- Describe processes for assessing, identifying, and managing material cybersecurity risks
- Describe board of directors' oversight of cybersecurity risk
- Describe management's role and expertise in cybersecurity
- Describe how cybersecurity risk management integrates into overall enterprise risk management
Evidence Examples
| Artifact | Owner | Frequency |
| 10-K cybersecurity disclosure draft sections | Corporate Secretary | Annually |
| Annual review records and revision history | General Counsel | Annually |
| Cross-functional review sign-offs from security, legal, and finance | CISO | Annually |
Board-level cybersecurity risk oversight including committee responsibilities, briefing cadence, incident escalation, and director expertise.
Requirements
- Describe board committee(s) responsible for cybersecurity risk oversight
- Describe frequency and content of board cybersecurity briefings
- Describe how the board is informed about cybersecurity incidents
- Document board member expertise relevant to cybersecurity
Evidence Examples
| Artifact | Owner | Frequency |
| Board committee charter with cybersecurity oversight mandate | Corporate Secretary | Annually reviewed |
| Board briefing schedule and agendas | CISO | Quarterly |
| Board meeting minutes documenting cybersecurity discussions | Corporate Secretary | Per meeting |
| Director expertise and qualification records | Nominating Committee | Annually updated |
Enterprise-level cybersecurity risk management processes, integration with overall ERM, and disclosure of whether cyber risks have materially affected the company.
Requirements
- Describe processes for assessing and managing material cybersecurity risks
- Describe whether and how cybersecurity risks have materially affected or are reasonably likely to affect the company
- Describe integration of cybersecurity risk management with overall enterprise risk management
- Describe use of third-party assessors, consultants, or auditors
Evidence Examples
| Artifact | Owner | Frequency |
| Cybersecurity risk management framework documentation | CISO | Annually reviewed |
| Enterprise risk management integration documentation | Chief Risk Officer | Annually reviewed |
| Third-party assessment and penetration test reports | CISO | Annually |
| Risk register with cybersecurity entries and materiality ratings | Chief Risk Officer | Quarterly updated |
Oversight and identification of material cybersecurity risks arising from third-party service providers, including vendor assessment and monitoring.
Requirements
- Describe oversight and identification of material risks from third-party service providers
- Vendor cybersecurity risk assessment process
- Contractual security requirements for service providers
- Monitoring of third-party cybersecurity incidents
Evidence Examples
| Artifact | Owner | Frequency |
| Vendor risk register with cybersecurity ratings | Vendor Management Lead | Quarterly updated |
| Third-party security assessment records and questionnaires | CISO | Annually per vendor |
| Contractual security provisions and SLA documentation | General Counsel | Per contract |
| Third-party incident monitoring and notification procedures | Security Operations | Continuous |
Incident response program capable of supporting the 4-business-day materiality determination, with defined roles, tabletop exercises, and disclosure coordination.
Requirements
- IR program capable of supporting 4-business-day materiality determination timeline
- Defined roles including CISO, legal counsel, IR team, and board liaison
- Tabletop exercises including SEC disclosure scenarios
- Coordination protocols between security, legal, and investor relations
Evidence Examples
| Artifact | Owner | Frequency |
| Incident response plan with SEC disclosure procedures | CISO | Annually reviewed |
| Tabletop exercise results and after-action reports | IR Team Lead | Semi-annually |
| Materiality determination playbook | General Counsel | Annually reviewed |
| Communication templates for internal escalation and external disclosure | Investor Relations | Annually reviewed |
Management's cybersecurity expertise, CISO role and reporting structure, relevant certifications, and ongoing professional development.
Requirements
- Describe management's relevant cybersecurity expertise
- CISO or equivalent role with defined reporting structure
- Relevant certifications and professional experience documentation
- Ongoing cybersecurity education and training programs
Evidence Examples
| Artifact | Owner | Frequency |
| Management cybersecurity bios and qualifications | Human Resources | Annually updated |
| CISO job description and organizational chart | CISO | Annually reviewed |
| Certification and continuing education records | Human Resources | Annually updated |
| Training completion logs for security leadership | CISO | Quarterly |
Evidence Naming Conventions
Organized, traceable evidence is critical for a smooth review. Adopting a consistent convention makes evidence retrieval faster and reduces friction.
Recommended format:
ControlID_System_ArtifactType_YYYY-MM-DD_Period_Owner_v# Key principles for evidence management:
- Centralized repository with access control and version history
- Consistent naming across all control domains and artifact types
- Defined cadence for each evidence type: event-driven, monthly, quarterly, or annual
- Immutable exports where possible to demonstrate evidence integrity
AI and data companies: Standard controls are the baseline. See the AI-specific advisory modules for additional controls addressing data governance, prompt logging, RAG security, and model vendor risk.