Companies are gearing up to disclose emerging cyber risks in upcoming financial reports to the Trump administration’s SEC as rapidly evolving artificial intelligence spawns new threats.
While Securities and Exchange Commission Chairman Paul Atkins has shifted the agency away from Biden-era climate and environmental, social, and governance initiatives, lawyers still are bracing for the Wall Street regulator’s continued scrutiny of corporate cybersecurity as it stresses disclosure of material information that could affect investors’ decision-making.
Publicly-traded companies crafting their approach for SEC filings—from Form 10-K annual reports to breach disclosures—face a new challenge: providing specific details about cyber threats tied to AI in real time as they work to understand emerging tools’ risks. They’re also on high alert for how the SEC will tackle cyber enforcement after the agency in November dropped a case against business software firm
“It wasn’t a complete retreat, but through that action and some of the other actions that the SEC has taken, it seems like they’re taking a step back from being ‘cyber auditor,’ but not taking a step back from being the enforcer of accurate disclosures around cybersecurity,” said Ilona Cohen, chief legal and policy officer at HackerOne, a security solutions provider.
Ahead of March deadlines for many companies to file their 10-Ks, businesses will juggle spelling out new AI risks with the SEC’s emphasis on materiality. The agency on Jan. 13 called for recommendations on how corporate disclosures could be curtailed to focus on details reasonable investors deem important.
The SEC signals that “you have to get your house in order and understand these risks so that you can articulate them and talk about them if they are material to you,” said Frank Esposito, partner at Squire Patton Boggs who advises boards of directors and in-house legal teams on governance and securities issues.
The SEC declined to comment on what the agency is looking for from companies when reviewing disclosures related to AI and cybersecurity in 10-Ks covering 2025.
10-K Strategy
The use of AI is growing so ubiquitous that, for many companies, it’s worth considering SEC disclosure, said Michelle Reed, co-chair of Paul Hastings LLP’s data privacy and cybersecurity group. How they’re using it internally or leveraging it as part of their cyber defense shapes those details.
“There’s no question that that is a huge discussion point on every 10-K that we’ve done so far this year,” Reed said.
Cyber risks vary and can be discussed in several sections within 10-K filings, including risk factors and management’s discussion and analysis. In its 10-K, information technology company
The companies didn’t respond to requests to comment on their SEC filings.
Tailoring the disclosure to the specific company and the systems it uses will provide useful information for investors and mitigate the risk of comment letters from SEC staff seeking further information, according to Debevoise & Plimpton LLP corporate partner Eric Juergens.
“You could easily draft a risk factor or some disclosure that would apply to 95% of the companies out there—but that doesn’t really tell an investor all that much,” Juergens said.
Companies should also steer away from “AI washing,” a concern that businesses’ disclosures don’t actually match their use or risks, he added.
As companies enter the final stretch of 10-K preparation, Anthony Bonaguro, partner in Grant Thornton Advisors LLC’s CFO advisory services, said he expects to see some “waiting a bit” to file their reports closer to deadline to see how others are approaching disclosures.
Talking Cyber
While cybersecurity lawyers say they expect less aggressive enforcement from Atkins’ SEC, they still advise companies to be on watch for enforcement of accurate and timely disclosures of material cyber incidents, which companies are supposed to report in 8-K filings for material events. The SEC hasn’t rolled back Biden-era 2023 cyber incident disclosure rules, which aim to give investors timely disclosure of hacks.
Determining the materiality of cyber incidents as they unfold will be a core focus for companies this year.
A ransomware attack, for example, may not always be material depending on a company’s size, balance sheet, and ability to withstand it, Paul Hastings’ Reed said. This means businesses should be documenting how they assessed an incident’s materiality ahead of regulatory probes.
“The SEC will be focused on what I call and what many commentators call ‘bread-and-butter’ securities enforcement issues and a failure to disclose a material cyber incident entirely is always going to be seen as ‘bread-and-butter,’” said Haimavathi Marlier, co-chair of Morrison & Foerster LLP’s fintech and securities enforcement practices and former SEC senior trial counsel.
The agency formed the Cyber and Emerging Technologies Unit in February 2025 to ferret out cyber-related misconduct and monitor companies’ compliance with cyber regulations, among other priorities.
It’s unclear where the 2023 disclosure rules rank in the unit’s priorities. The group is leveraging its staff’s “substantial fintech and cyber-related experience” to combat fraud and protect investors, the SEC said when it formed the unit.
“Again another signal that they’re primarily focused on accurate disclosures,” HackerOne’s Cohen said of the new unit. “And I will be paying attention to what they’re up to and what their plans are.”
To contact the reporters on this story:
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.