Item 1C, "Cybersecurity," is the section of the annual Form 10-K where a public company has to describe how it manages cyber risk as an ongoing program, not how it handled a single breach. It was created by the same SEC cybersecurity rule that added Item 1.05 to Form 8-K — Release No. 33-11216 — and it carries into the 10-K the disclosure requirements of Regulation S-K Item 106. Where Item 1.05 captures a discrete material incident within four business days of the materiality determination, Item 1C captures the company's risk-management apparatus and governance, on an annual cadence.

Regulation S-K Item 106 sets out what Item 1C must address. On risk management and strategy, the registrant describes its processes for assessing, identifying, and managing material risks from cybersecurity threats, and whether any risks from cybersecurity threats — including from prior incidents — have materially affected or are reasonably likely to materially affect the company's business strategy, results of operations, or financial condition. On governance, the rule requires the company to describe the board of directors' oversight of risks from cybersecurity threats and management's role in assessing and managing material risks from cybersecurity threats. Those two pillars — process and oversight — are the spine of every Item 1C section.

What a real Item 1C section says

Because the rule asks for a description of process and governance rather than a fill-in-the-blank form, the texture of an Item 1C section varies by filer. CrowdStrike Holdings, Inc. — itself a cybersecurity vendor — frames the section around an enterprise risk-management program. In its fiscal-2026 Form 10-K (filed March 5, 2026), the company writes:

"Our cybersecurity risk management program, which includes data privacy, product security, and information security, is designed to align with our industry’s best practices. Our program provides a framework for identifying, monitoring, evaluating, and responding to cybersecurity threats and incidents, including those associated with our use of software, applications, services, and cloud infrastructure developed or provided by third-party vendors and service providers."— CrowdStrike Holdings, Inc. Form 10-K, Item 1C, source

The passage tracks what Item 106 asks for: it describes a process for identifying, monitoring, evaluating, and responding to threats, and it explicitly extends that process to third-party vendor and service-provider risk — the supply-chain dimension the rule directs registrants to address. The same section goes on to describe the steps for identifying the source of a threat, including whether it is associated with a third party, assessing severity and risk, and implementing countermeasures and remediation. That is the risk-management-and-strategy half of Item 1C. The governance half then describes who oversees the program — the board's role and management's role — completing the two pillars the rule requires.

How Item 1C relates to Item 1.05

The two disclosures are designed to work as a pair, and reading them together is how an investor gets the full cybersecurity picture of a company. Item 1.05 is the event lane: a material incident, disclosed in near-real time, describing the incident's nature, scope, timing, and impact. Item 1C is the program lane: filed annually, describing how the company is organized to prevent, detect, and respond to incidents, and whether cyber risk — including from past incidents — has materially affected or is reasonably likely to materially affect the business. A company that filed an Item 1.05 8-K during the year will often reflect the standing risk that incident represents in the next annual Item 1C, which is why the two filings are best read in sequence rather than in isolation.

The risk-management half of Item 106 is also specific about a dimension that recurs in modern breaches: third-party and supply-chain risk. The rule directs registrants to address risks associated with their use of third-party service providers, and the CrowdStrike disclosure does this explicitly, extending its identification-and-response framework to threats associated with software, applications, services, and cloud infrastructure provided by third-party vendors. For a reader assessing an Item 1C section, the presence or absence of that supply-chain dimension is a useful tell, because a description that only addresses internally hosted systems is describing a narrower program than the rule contemplates. The same goes for the rule's instruction to disclose whether risks from cybersecurity threats — including from prior incidents — have materially affected or are reasonably likely to materially affect the company; an Item 1C that is silent on prior-incident effects is leaving out something Item 106 asks for.

A note on what Item 1C does not do is also useful for reading it accurately. It is a description of process and governance, not a scorecard or a certification, and the rule does not prescribe a particular framework an organization must adopt. CrowdStrike's section, for instance, says its program is designed to align with industry best practices and describes a framework for identifying, monitoring, evaluating, and responding to threats — but the rule leaves the choice of methodology to the registrant. That means two compliant Item 1C sections can describe quite different programs. The disclosure's value is in forcing a company to state, on the record, how it manages cyber risk and who oversees it; comparing that stated program against the company's actual incident history — including any Item 1.05 filings — is where the section becomes analytically useful.

There is one more structural point worth noting about scope. Item 106's governance requirements — board oversight and management's role — apply on an annual basis to domestic registrants in the 10-K, and the rule extends parallel governance disclosure to foreign private issuers through Form 20-F. The incident-disclosure side reaches FPIs through Form 6-K. For the great majority of U.S.-listed companies, though, the operative annual cybersecurity disclosure is Item 1C of the 10-K, and the operative text defining what it must contain is Regulation S-K Item 106. To check whether a company's Item 1C does what the rule requires, read it against those two pillars — risk-management process and governance — and confirm each is described, not merely asserted. The primary source for the requirements is the final rule; the primary evidence of what a company disclosed is its own 10-K on sec.gov.