Compliance crosswalk · SEC
SEC Cybersecurity Disclosure Rule - email + domain controls, mapped to Wiredepth
Framework version: Reg S-K Item 106 + Form 8-K Item 1.05, effective FY 2024+ filings (compliance date 12/15/23 for larger filers)
Who this is for.US public companies (any reporting issuer under the '34 Act), foreign private issuers (Form 20-F filers face a parallel requirement), and smaller reporting companies (with a 180-day delayed compliance date for the 8-K piece). Issued July 26, 2023; in force for fiscal years ending on or after December 15, 2023.
Where email + domain controls fit. The rule has two operative parts. Item 106 requires annual disclosure of cyber risk-management processes, strategy, and governance. Item 1.05 of Form 8-K requires material-incident disclosure within 4 business days of materiality determination. Email-auth and domain-posture controls feed both: they're part of the risk-management process disclosed annually, and a phishing-derived compromise of customer or financial data is exactly the kind of incident the 8-K is meant to catch.
Clause-by-clause mapping
Each row maps a specific SECrequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).
| Clause | Requirement | Wiredepth response |
|---|---|---|
S-K Item 106(b)(1)(i) Monitoring | Describe processes for assessing, identifying, and managing material risks from cybersecurity threats - including whether such processes have been integrated into the company's overall risk-management system. | Continuous-monitoring tracks DMARC / SPF / DKIM / MTA-STS posture and is the kind of process described in this disclosure. A scorecard PDF makes the program legible to non-technical board readers. |
S-K Item 106(b)(1)(ii) Authentication | Describe whether the company engages assessors, consultants, auditors, or other third parties in connection with such processes. | Wiredepth is a SaaS provider in the cybersecurity risk-management chain - cite-able in this disclosure as the source of continuous DMARC / posture monitoring + the third-party-vendor inventory. |
S-K Item 106(b)(1)(iii) Inventory | Describe whether the company has processes to oversee and identify material risks from cybersecurity threats associated with use of any third-party service provider. | Vendor consolidation audit + vendor-scoring tool produce the third-party-risk evidence trail. Per-vendor blast-radius rating turns it into a quantifiable risk surface. |
S-K Item 106(c) Reporting | Describe the board's oversight of risks from cybersecurity threats, including identifying which committee or subcommittee has oversight responsibility and the processes by which the board is informed. | Quarterly scorecard PDFs + posture-trend reports are the kind of artifact a board's risk-or-audit committee actually reads. Watermarked + timestamped for governance records. |
Form 8-K Item 1.05 Reporting | Disclose any cybersecurity incident the registrant determines to be material, within 4 business days of the materiality determination. Include a description of the material aspects of the nature, scope, and timing. | DMARC-monitoring change events plus the auditor-verifiable audit log provide the timeline + evidence chain needed to support a materiality determination and the resulting 8-K narrative. |
Item 106(b)(2) Monitoring | Describe whether any risks from cybersecurity threats - including as a result of any previous incidents - have materially affected or are reasonably likely to materially affect the registrant. | Posture change history + spoofability trending help substantiate the 'reasonably likely' assessment. A persistently F-graded posture is a defensible reason to disclose elevated likelihood. |
Item 106 (general) Authentication | Disclosures must be in plain English and detailed enough to provide a clear understanding of the cybersecurity risk-management program to investors. | The composite grade + spoofability headline + 1-page scorecard format are designed for non-technical readers - investor-relations workable language without the SOC report depth. |
What auditors actually look at
What securities lawyers, CISOs, and internal-audit teams actually look at when preparing SEC-cyber disclosures:
- Documented risk-management process that an outside reader can map to Item 106. A quarterly scorecard cadence + continuous monitoring alerts produces this trail without bespoke spreadsheet-keeping.
- Materiality-determination trail. When something happens, the 8-K clock starts at materiality determination - not at discovery. A clear audit log of what was found when, and the basis for the determination, is the highest-leverage artifact.
- Board-level governance evidence. Item 106(c) is increasingly enforced. Board-deck materials referencing concrete posture metrics (the kind of thing a scorecard PDF supplies) beat narrative-only descriptions.
- Third-party-risk specificity. Item 106(b)(1)(iii) is the third-party prong. An actual inventory of authorized email vendors with risk-rated callouts is exactly what this asks for.
- Consistency across years.Annual 10-K disclosures + ongoing 8-Ks need to be consistent; a one-pager that's regenerated each quarter gives you a stable evidentiary basis even as the underlying technology changes.
- Avoid over-disclosure of vulnerabilities. Item 106(b)(2) - the rule explicitly does not require disclosing details that would compromise security response. Aggregate posture metrics give you the right level of detail without operational specifics.
Generate a SEC-tagged evidence pack (Wiredepth Prove)
Prove subscribers can generate a ZIP of all five workpapers + a SEC README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).
Other compliance crosswalks
Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.