Fortinet (NASDAQ: FTNT) filed its 2025 annual 10-K on February 25, 2026, and its Item 1C cybersecurity section reads like a closed loop. It describes access controls “evaluated and improved through vulnerability assessments and cybersecurity threat intelligence,” feeding into “Incident Response and Recovery Planning” that the company says it has “established and maintain[s].”
The structure matters because it connects prevention to response. Many Item 1C sections describe defenses and response plans as separate paragraphs; Fortinet’s links them — vulnerability findings and threat intelligence flow into the controls, and a formal response-and-recovery function stands ready when those controls are tested. That feedback loop is the hallmark of a maturing program.
As a vendor whose own appliances have been targeted by attackers historically, Fortinet has reason to make its risk language concrete. Its earlier filings, including the fiscal-2022 10-K, warned about “any other actual or perceived data security incident, threat or vulnerability” touching its supply chains, systems, or customers — a broad framing that anticipated the supply-chain emphasis now standard across the sector.
For benchmarking other companies’ Item 1C disclosures, Fortinet’s is a strong template precisely because it names mechanisms — vulnerability assessments, threat intelligence, response-and-recovery planning — rather than gesturing at generic “industry-standard” controls. Specificity in an Item 1C section is a credibility signal; vagueness is the opposite.
The reader’s takeaway is to look for the loop. A disclosure that ties what a company learns (vulnerabilities, intelligence) to what it does (controls, response, recovery) describes a program that improves over time. Fortinet’s primary record is at sec.gov, surfaced via EdgarBeast, the SEC filing data API and evidence index. The strongest Item 1C sections don’t just list defenses — they show how the defenses get better.