Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your current disclosure practices and governance structure.

  • Current disclosure practices review — assess existing cybersecurity disclosures in prior 10-K and 8-K filings
  • Incident response process evaluation — understand current IR processes and how they connect to disclosure decisions
  • Board governance structure assessment — map current board oversight of cybersecurity risk, including committee structures
  • Materiality determination process review — evaluate whether a defined materiality process exists and how it functions

2. Assessment Week 2–3

We evaluate your disclosure readiness against SEC requirements and emerging best practices.

  • 8-K readiness evaluation — assess ability to determine materiality and file within 4 business days
  • 10-K disclosure gap analysis — compare current annual disclosures against SEC rule requirements
  • Board oversight documentation review — evaluate whether board cyber oversight is documented in disclosure-ready form
  • Management role and expertise assessment — assess how management’s cyber role and expertise are described and evidenced

3. Outputs Week 3–4

We deliver the artifacts that establish your SEC disclosure readiness.

  • Materiality determination framework — defined process with criteria, roles, escalation paths, and documentation requirements
  • 8-K filing procedures and templates — step-by-step procedures for incident-to-disclosure workflow
  • 10-K disclosure language drafts — ready-to-file language for risk management, strategy, and governance sections
  • Board briefing framework — structured format for ongoing board cyber risk reporting

4. Follow-on Ongoing

After the readiness sprint, ongoing activities keep your disclosure program current.

  • Incident-to-disclosure playbook maintenance — update procedures as incidents occur and SEC guidance evolves
  • Board reporting cadence — support regular board cybersecurity briefings aligned to disclosure requirements
  • Annual 10-K disclosure updates — refresh risk management and governance language for each filing cycle

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

Materiality determination framework
8-K filing procedures and templates
10-K disclosure language drafts
Board oversight documentation
Management role descriptions
Incident-to-disclosure playbook
Third-party risk disclosure support
Board briefing framework

Start Your Readiness Sprint

Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable disclosure framework aligned to SEC requirements.

Get in Touch