SEC Cybersecurity Disclosure

SEC cyber disclosure
prove your controls before the 10-K.

SEC rules require annual disclosure of cybersecurity risk management, strategy, and governance in your 10-K filing. Auditors want proof your change management controls actually work. MergeWhy provides that proof automatically.

R.R. Donnelley paid $2.1M to resolve SEC investigation on disclosure controls. Don't be next.

Install GitHub App — Free Request Demo

5,172

listed companies

$2.1M

penalty precedent

controls mapped

10-K

ready year-round

Capabilities

Built for
public company security leaders.

10-K Item 106 Evidence

Documented cybersecurity risk management processes for your annual filing. Continuous evidence collection means your disclosure is backed by data, not narratives written the week before filing.

Board Governance Documentation

Evidence of board oversight of cybersecurity controls. Compliance trend reports, risk dashboards, and evidence summaries formatted for board-level presentations.

Change Control Verification

Prove to auditors that code changes follow documented procedures. Every pull request generates a Decision Evidence Record with approvals, reviews, and test results.

Materiality Assessment Support

Evidence trail for determining whether cyber incidents are material. Immutable records of system changes help establish timelines and scope during incident analysis.

Risk Management Process Proof

Automated documentation of how your team manages cyber risk in the SDLC. Evidence that vulnerabilities are identified, reviewed, and remediated through controlled processes.

Continuous Disclosure Readiness

Always-current evidence means no scramble before the 10-K filing deadline. Your cybersecurity disclosure is backed by a complete, sealed audit trail year-round.

How It Works

Three steps to audit-ready evidence.

Install the GitHub App

Connect your repositories in under 2 minutes. MergeWhy begins capturing change management evidence from your very first PR.

Merge as usual

Developers change nothing about their workflow. Every merge generates a Decision Evidence Record with approvals, reviews, and test results.

Export for your auditor

Generate compliance bundles for annual 10-K disclosure. Evidence sealed with SHA-256 for integrity verification during audit review.

Coverage

SEC disclosure requirements covered.

Reg S-K Item 106(b)

Risk management & strategy

Describe processes for assessing, identifying, and managing material cybersecurity risks

Reg S-K Item 106(c)

Governance disclosure

Board oversight of cybersecurity risk and management role in assessing and managing risk

Form 8-K Item 1.05

Incident disclosure

Material cybersecurity incident reporting within four business days of determination

Regulation S-P

Customer data protection

Safeguards for customer information including incident response programs and notification

Get Started

Your 10-K cybersecurity disclosure
backed by evidence, not narratives.

See how MergeWhy provides continuous cybersecurity control evidence for SEC disclosure. Free for your first repository.

Install GitHub App — Free Request Demo →

SEC cyber disclosureprove your controls before the 10-K.

Built forpublic company security leaders.