FL Fredrik Lindstrom

Cyber Risk in the SEC 10-K Era — and What's Coming for AI

A 2017 analysis of cyber risk in 10-K filings — TJX, Target, Home Depot — combined with what changed under the SEC's 2023 cyber disclosure rule and a forecast of AI-specific 10-K disclosure within the next 18-24 months.


Hero — Cyber Risk in the SEC 10-K Era — and What's Coming for AI

Originally published as a two-part series July and August 2017. Combined and updated June 26, 2026.

In July 2017, I published an analysis of how three retailers — TJX, Target, and Home Depot — disclosed cyber risk in their SEC 10-K filings before, during, and after their major breaches. The pattern across all three was bracing: in two of the three cases, there was no mention of cyber risk in the 10-K filed the year before the breach. After each breach, the disclosures expanded — slowly, in some cases over multiple years — but always reactively.

The conclusion in 2017 was that this reactive pattern was a failure of risk transparency. Investors had no way to assess cyber exposure across companies they were considering investing in, because the companies themselves had not been required to provide that assessment in any standardized way.

Six years later, in July 2023, the SEC adopted the cyber disclosure rule that finally required structured reporting. Public companies now must disclose material cyber incidents within four business days, and must describe their cyber risk management, strategy, and governance — including board oversight — in annual filings. The structural prediction in the original 2017 series was correct. The timing was conservative. I expected this to land within 12 to 18 months. It took six years.

Now the same forcing function is applying to AI. The 10-K is the public document where shareholder-level risk is consolidated. It is also the document where AI risk is currently underdisclosed at scale. This piece walks through what the original 2017 analysis found, what the SEC’s 2023 rule actually changed, and what the next chapter of AI-specific 10-K disclosure looks like.

Section 1: What the 2017 analysis found

Any business operating today is vulnerable to a wide range of risks related to information protection. For privately owned businesses, this is perhaps not that great a problem, since it is up to the owner to determine the appropriate countermeasures. But for a public organization it is different. The organization is owned by shareholders — usually a large number of shareholders, many of whom do not have any direct contact with the leadership or board of directors outside of shareholder meetings.

To combat this, financial regulation agencies around the world have implemented disclosure reports that public organizations must file and make available to anyone, both current and prospective investors. In the United States that agency is the SEC, and the form they require each organization to file is the 10-K. The 10-K has four parts, and the most important sections for investors related to risk are in parts 1 and 2:

  • 1A — Risk Factors: A list of potential risks for the organization that could have an impact on financial results, and therefore the value of the investment.
  • 7 — Management Discussion and Analysis: Where management discusses why the organization performed the way it did. Usually a good place for insight into internal operational conditions.
  • 9A — Controls and Procedures: Internal controls put in place to prevent adverse outcomes — typically accounting controls and frameworks for those controls (COSO, or others).

Traditionally, the 10-K has disclosed a number of generic risks and organization-specific risks: currency fluctuations for multinationals, sourcing issues specific to the organization, and so on. All of these are tied directly to financial risk. But how many organizations report any of the risks associated with today’s connected enterprise?

To find out, I looked at three well-known retailers that had widely publicized breaches: Home Depot, Target, TJX. I looked at what each organization reported before the breach, and what changed after. For reference, the scope of each:

  • 2007 TJX — 45.6 million credit cards stolen — cost reportedly $256M
  • 2013 Target — 40 million credit cards stolen — cost reportedly close to $300M
  • 2014 Home Depot — 56 million credit cards stolen — cost reportedly $179M

TJX. The year before (2006): nothing about information security risk anywhere in the 10-K. The year of the breach (2007): TJX highlighted the breach, the legal proceedings, and that the business may be materially harmed by future breaches and reputational damage. The year after (2008): almost identical language, very few details. Three years after (2010): updated language saying the business could suffer material harm in business and reputational risk, and disclosing some information on what type of information they collect and store — a critical piece for evaluating information security risk.

Target. The year before (2012): Target highlighted that a significant disruption to their computer systems could affect operations. A true statement for any organization, but nothing specific about information security risk. The year of the breach (2013): Target highlighted the breach, investigations, litigation, and that future breaches could be costly. The year after (2014): pretty much the same as the year of the breach. Three years after (2016): significant reporting on technology-related risks, with specific mention of risks related to infrastructure, data, and privacy.

Home Depot. The year before (2013): some disclosure about information being stored and processed, plus risk to reputation and potential costs. Home Depot also stated that they implemented systems and processes to protect themselves, but provided no details. They continued with the point that system failures could affect customer-facing systems. The year of the breach (2014): added discussion of the breach itself, possibly material litigation impact, and substantial additional costs from potential future breaches. The year after (2015): almost the same language as the prior year, even in management discussion.

The summary across all three: a wide range of reported risk levels associated with information security, from nothing (TJX the year before the breach) to information about data collected and stored, general system failure risk, and so on. Clearly this range was a problem for investors, and it was symptomatic of IT in general — very low-level business integration. IT had to get better at this, including information security.

Section 2: What standardized cyber risk disclosure should look like

But what should an organization actually report in the 10-K for information security risk? It is easy to go straight to the tools that organizations are employing to protect themselves: firewalls, device encryption, having a CISO-led team, having processes in place. However, reporting on tools, people, and processes does not actually address the risks. It only reports that the organization is taking mitigating action.

The real question is what risks the organization is trying to mitigate. For an investor to understand the type of risks an organization is exposed to, the investor must know what type of information the organization is collecting, creating, and storing. Then the investor can assess high-level risk. Once you know what type of information, the next step is to report on the controls in place to limit exposure.

From an accounting perspective, this is usually done based on the COSO framework. The auditor of the financials of any public organization also audits the internal accounting controls. Therefore, investors can be reasonably certain that internal controls are in place to mitigate any major risk related to accounting practices, and that the 10-K is a good start for doing research.

The same cannot be said for information security risks or controls. There is no widely accepted standard or framework for how to approach information security in financial disclosures. There are some that are more popular than others — NIST 800-53, ISO 27001, CIS Critical Security Controls Top 20, and industry-specific standards like HIPAA, PCI DSS, and NERC CIP-011. But to achieve a reasonably fair level of understanding and to be able to compare between organizations, there needs to be a standard framework — at minimum per industry — that auditors can audit against.

One reason no single framework is used by everyone, I believe, is the lack of maturity in IT in general, and the lack of understanding by other business functions of the true financial implications. From a non-IT business function, IT is complicated, technical, and something to avoid. To make matters worse, most organizations have leaders with an MBA, and while an MBA gives a great overview of how a business functions, very few programs out there have anything on IT. This means that the leaders of large organizations have a basic understanding of every function except IT.

In my opinion, organizations should at the very least report the risks, and any compliance requirements based on the information they are collecting, creating, and storing (HIPAA, PCI DSS). The next step would be to start reporting on the information security program as a whole, against one standard or another. Even if standards differ from one organization to another, investors should know what the organization is doing to protect itself against material information security risks.

Personally, I would recommend an organization start with something simple like the CIS Critical Security Controls. Each control comes with a thorough metric companion, so it is easy to assess maturity. It would be great if organizations started reporting on their own, with their auditor, instead of waiting for a regulatory mandate. But perhaps that is too optimistic.

Section 3: What changed in 2023

The SEC’s final rule on cybersecurity risk management, strategy, governance, and incident disclosure took effect in December 2023. It did three things that the 2017 analysis argued for, in roughly the form the analysis argued for them.

First, mandatory current reporting of material cyber incidents. Form 8-K Item 1.05 requires disclosure within four business days of determining that a cyber incident is material. This eliminates the multi-quarter discretionary delay that companies had previously used. The “we’ll figure out how to talk about it in our next 10-K” approach is no longer available.

Second, mandatory annual disclosure of cyber risk management. Regulation S-K Item 106 requires public companies to describe their processes for assessing, identifying, and managing material cyber risks. This is the 10-K equivalent of what the 2017 analysis argued for — a structural framework requirement, audited (in spirit, if not always in technical accounting terms) by the same disclosure pipeline that handles every other material risk.

Third, mandatory disclosure of board oversight. Item 106 explicitly requires companies to describe the board’s role in cyber risk oversight, including which committee or committees handle it and how they receive information from management. The board oversight question — central to the 2017 framework discussion — is no longer optional.

The market response has been instructive. Disclosures in the first full year of compliance (2024 filings) varied widely in quality. Some companies provided substantive descriptions of their cyber programs, framework alignment (NIST CSF most commonly), and board oversight cadence. Others produced minimum-viable-disclosure language that signaled awareness without depth. The pattern is roughly the one observed in early Sarbanes-Oxley compliance: the early filings reveal which organizations have real programs and which are performing compliance.

The 2017 analysis recommended starting with CIS Critical Security Controls. In 2025 and 2026, NIST CSF has emerged as the default reference framework in 10-K disclosures, with CIS Controls and ISO 27001 as secondary references. The convergence point that the 2017 analysis predicted — a standard framework that auditors can audit against — has partially arrived. Not fully. But materially.

Section 4: What’s coming for AI

The same forcing function is now lining up for AI risk. Three things are happening simultaneously, each of which would individually be enough to drive disclosure regime change.

First, AI-related litigation is creating securities-law exposure. Plaintiffs have begun bringing claims that public companies misrepresented their AI capabilities, AI risk exposure, or actual revenue contribution from AI products. The wave of “AI washing” enforcement actions from the SEC — including settled actions against multiple investment advisers for misrepresenting their use of AI — established that AI-related statements are subject to standard securities-fraud analysis. Once that frame is established, pressure on 10-K disclosures follows.

Second, AI-specific risks are showing up in disclosed material incidents. The four-day clock for incident disclosure under the 2023 rule is now being tested by AI-related events: model failures, prompt-injection breaches, data leakage through agentic systems, biased outputs in customer-facing decisions. The boundary between “cybersecurity incident” and “AI failure” is blurry in many of these cases. Companies are increasingly disclosing them under the 8-K cyber framework, which means the disclosure standard is being established by the early-mover companies who handle their first AI incident in public.

Third, regulators outside the U.S. are forcing disclosure that flows back into U.S. filings. The EU AI Act requires risk management documentation, incident reporting to national authorities, and (for high-risk systems) registration in an EU database. Any U.S.-listed company with significant European AI deployment is now generating European disclosure that, in aggregate, becomes material to the 10-K. The Brussels effect on U.S. filings was visible with GDPR and is repeating with the AI Act.

Putting these three together, my forecast is straightforward. Within 18 to 24 months, the SEC will issue guidance — likely as a staff statement first, possibly as a rule second — on AI-specific risk disclosure in 10-K filings. The guidance will probably build on the existing Item 106 framework rather than create a new section, treating AI risk as a category within material technology risk. Public companies that have already established structured AI governance under the EU AI Act framework will absorb this with minimal incremental cost. Companies that are currently treating AI risk as an unmeasured surface will discover the gap during their next 10-K cycle.

The pattern here is identical to what the 2017 analysis traced through TJX, Target, and Home Depot. The minimum-viable disclosure year. The breach. The expanded disclosure year. The standardized framework that follows. The only difference is that for AI, the breach equivalent will not necessarily be a single high-profile incident — it will be the cumulative weight of incidents that were individually deniable but, in aggregate, were not.

Closing

Cyber risk disclosure took twelve years to get from the 2007 TJX breach to the 2023 SEC rule. The first five of those years were the breach cycle. The next five were the policy debate. The last two were the rulemaking.

AI risk disclosure does not have twelve years. The technology is moving faster, the regulatory infrastructure outside the U.S. is moving faster, and the litigation pressure is showing up earlier. The compressed timeline cuts both ways: organizations have less time to prepare, and the regulators have less time to get the rule right. Both of these are problems.

The action item from the original 2017 piece still applies, with the substitution that 2026 always demands. Organizations should report on the AI risks they are exposed to before they are required to. The companies that built cyber disclosure programs in 2018 — five years before the rule — were the ones whose 2024 filings looked credible on Day One. The companies that build AI disclosure programs in 2026 will be the ones whose 2028 filings look credible when the rule arrives.

After 25 years in cybersecurity, the pattern is unmistakable: the cost of building disclosure ahead of the regulator is always lower than the cost of rebuilding it under enforcement. AI is not an exception.