The SEC's 2023 cyber rule did two things: it created the four-day incident 8-K (Item 1.05), and it added a new annual disclosure, Item 1C of Form 10-K, requiring companies to describe how they manage and govern cybersecurity risk. Fortinet's Form 10-K for fiscal 2023, filed February 26, 2024, is one of the first annual reports to carry it.
Item 1C is a different animal from a risk factor. A risk factor warns about the hypothetical; Item 1C asks for process — how the company identifies, assesses, and manages cyber risk, and how the board and management oversee it. Fortinet's filing still acknowledges the downside, warning that a future "cybersecurity incident... may have a material effect, including on our business strategy, operating results or financial" condition, but it does so inside a section now structured around governance, not just exposure.
For readers, the value of Item 1C is comparability. Because every covered company must now describe its cyber risk-management processes and board oversight in the same place each year, the sections can be read side by side. The forward-looking warning language survives, but it is bolted onto a standardized account of who is responsible and how.
There is a particular interest in reading a security vendor's Item 1C. Fortinet sells the tools other companies use to satisfy exactly this kind of governance expectation, so its own description of its processes is, in effect, the vendor showing its work. The materiality warning at the end is the residual risk-factor logic — even with strong processes, an incident could still be material.
EdgarBeast surfaced the filing from the SEC's record; the 10-K on sec.gov is the primary source. The transition this document represents is the main story: cyber disclosure has moved, for the first time, from scattered risk-factor language into a named, required, comparable section of the annual report.
Forward from this filing, expect Item 1C sections to become a standard read for assessing a vendor's security maturity — and for regulators to scrutinize the gap between what a company describes here and how it actually responds when an incident hits.