Reading CrowdStrike's Item 1C: When the Defender Describes Its Own Defense

There is a special interest in reading the Item 1C cybersecurity section of a company that sells cybersecurity. CrowdStrike's Form 10-K for fiscal 2024, filed March 7, 2024, opens that section by leaning into exactly that identity: "As a provider of cybersecurity solutions, we are passionate about" cybersecurity.

Item 1C, new under the SEC's 2023 rule, requires a company to describe its processes for identifying, assessing, and managing material cyber risk, and the board's and management's role in oversight. For a vendor whose product is risk management, the section is doubly self-referential: it is the company describing how it protects itself using, presumably, the same discipline it sells to others.

The framing is worth reading skeptically and constructively at once. Skeptically, because "passionate" is marketing language inside a regulatory section, and what matters is the substance of the described processes and oversight, not the adjective. Constructively, because a security vendor's Item 1C is a chance to see whether its internal practice matches its external pitch — the kind of comparison the standardized section now makes possible.

For readers, the practical use of any Item 1C is to look past the prose to the structure: who owns cyber risk, how often the board hears about it, whether there is a defined assessment process, and how third-party risk is handled. The 2023 rule's value is that it forces every covered filer to address those questions in the same place, every year.

EdgarBeast surfaced the filing from the SEC's full-text record; the 10-K on sec.gov is the primary source. As of this filing, the new disclosure is still young, and the most useful exercise is to compare the Item 1C sections of the major pure-play vendors — CrowdStrike, Fortinet, and their peers — to see how differently companies in the same business describe governing the same risk.

Forward from here, the real test of any Item 1C is the day an incident forces an Item 1.05 filing. The annual section describes the process; the incident filing reveals whether it worked. As of this 10-K, CrowdStrike's process is described, not yet tested in a 1.05.