Navigating Cybersecurity Disclosures: Key Concerns for 2025

Written By Brian Brown

Cybersecurity risks and regulatory demands are intensifying with the SEC driving greater transparency. As public companies prepare for 2025 reporting, audit committees, CFOs, and CAOs must ensure compliance and accuracy amid evolving expectations.

2024 Trends in Cybersecurity Disclosures

Analysis of 2024 Form 10-K filings from S&P 100 and Fortune 500 companies reveals key trends:

Enhanced Detail: Companies provided more specifics on cyber leadership, third-party risk management, board oversight, and incident response.

Board Oversight: Most delegate cybersecurity oversight to audit committees, with full boards retaining enterprise-wide responsibility.

Management Roles: Chief Information Security Officers (CISOs) primarily manage cyber risks.

Framework Use: The NIST Cybersecurity Framework is widely adopted.

Third-Party Risk: All companies disclose processes to manage vendor-related risks.

Varied Approaches: Disclosures vary, reflecting tailored cybersecurity programs.

XBRL Tagging: Starting in 2025, Item 106 disclosures require Inline XBRL tagging using the “Cybersecurity Disclosure (CYD)” taxonomy for narratives and quantitative data.

Audit Committee Concerns for 2025

Audit committees are pivotal in integrating cybersecurity with financial reporting. Key focus areas include:

Robust Oversight: Document and follow clear processes for board updates on cyber risks.

Management Expertise: Verify the qualifications, including certifications and experience, of personnel managing cybersecurity.

Third-Party Risks: Scrutinize vendor risk management to mitigate material exposures.

Disclosure Accuracy: Ensure disclosures align with internal practices and are verifiable to avoid misleading statements.

XBRL Preparedness: Confirm systems are ready for accurate Item 106 tagging to meet 2025 requirements.

CFO and CAO Concerns for 2025

CFOs and CAOs face financial and compliance challenges tied to cybersecurity. Priorities include:

Materiality Assessments: Evaluate cyber incidents’ financial impacts, both historical and forward-looking, for accurate reporting.

Disclosure Controls: Implement robust processes to ensure timely and complete cybersecurity disclosures.

Form 8-K Filings: Disclose material incidents within four business days (already effective for most registrants; smaller reporting companies complied by June 15, 2024).

SEC Scrutiny: Be prepared to address SEC comment letters, as seen in 2024 enforcement actions (e.g., fines up to $4 million for misleading disclosures).

Looking Ahead

The SEC’s focus on cybersecurity disclosures continues in 2025, with potential for stricter enforcement and new guidance. Companies must foster collaboration among cybersecurity, legal, and finance teams, regularly assess internal controls, and refine disclosures to stay compliant. Proactive governance is essential to navigate this complex landscape.

Brian Brown
Next

Critical Audit Matters and Transparency in 2025