Item 106 / Item 1.05 Every disclosure, on every engagement — verified, not assumed

The most rigorous Item 106 disclosure production line an SEC-reporting company can use.

The SEC Cybersecurity Disclosure & Materiality Desk assembles a documentation-complete annual Item 106 disclosure and incident materiality war-room — every required element, every peer benchmark, every say-do gap check, and the outside securities counsel review chain — checked against the SEC's rules and enforcement precedent before a specialist releases it.

Every element of Item 106 and Item 1.05Peer-disclosure benchmarking & say-do gap detectionOutside securities counsel review on every fileSpecialist release on every engagement5-business-day SLA for annual disclosure
Why disclosures fail

A single gap can trigger an SEC penalty.

Every SEC-reporting company must describe its cybersecurity risk management and board oversight annually in Item 106 of Regulation S-K, and disclose material incidents within four business days under Item 1.05 of Form 8-K. The SEC has already fined issuers a combined multi-million-dollar sum — Unisys alone paid $4 million, R.R. Donnelley paid $2.125 million — for cyber-disclosure and disclosure-controls failures.

Most companies produce this disclosure using expensive law-firm hours, Big-Four advisory engagements, or general-purpose virtual CISO retainers that cover security operations broadly but are not built to produce a defensible, peer-benchmarked, gap-checked annual filing. The result: boilerplate language, say-do gaps, and exposure to enforcement.

The SEC Cybersecurity Disclosure & Materiality Desk exists to close that gap with a single, exhaustive standard applied identically to every engagement.

$6M+
in SEC penalties for cyber-disclosure failures in the rule's first two years
The benchmark

Measured against the SEC's rules and enforcement precedent — subsection by subsection.

We do not summarize the rules and hope. Every engagement is scored against a versioned rule pack tied to the exact text of Item 106 of Regulation S-K and Item 1.05 of Form 8-K, plus SEC enforcement actions and staff guidance. These are the provisions each engagement is held to.

Item 106(b)

Risk management & strategy

Description of processes for assessing, identifying, and managing material cybersecurity risks, including integration into overall risk management, and whether risks from third-party service providers are considered.

Item 106(c)

Board oversight & management role

Description of board's oversight of cybersecurity risks and management's role in assessing and managing material risks, including relevant expertise and reporting structure.

Item 1.05(a)

Material incident disclosure

Disclosure of material cybersecurity incidents within four business days of materiality determination, including nature, scope, timing, and material impact or reasonably likely material impact.

Item 1.05(b)

Incident updates

Obligation to amend or update Item 1.05 disclosures if previously undisclosed material information becomes known or if the company's assessment of material impact changes.

Say-do gap detection

Consistency check

Comparison of disclosed practices against actual cybersecurity program documentation, prior disclosures, and peer benchmarks to identify and remediate inconsistencies that could attract SEC scrutiny.

Enforcement precedent

Penalty avoidance

Review of SEC enforcement actions (Unisys, R.R. Donnelley, etc.) to ensure disclosure language avoids patterns that have resulted in penalties, including boilerplate language and inadequate disclosure controls.

How an engagement is built

Intake to specialist release, with deterministic gates the AI cannot overrule.

AI extracts and drafts. Deterministic rules — running as code, outside the model — decide what is complete. A human specialist signs every release. Outside securities counsel makes every materiality and disclosure-content judgment. That order is never reversed.

01

Gap Scan

Upload your prior-year 10-K, current cybersecurity program documentation, and incident history. We return a free completeness read: which Item 106 elements and benchmarks you already have, and which are missing.

02

Fact intake & peer benchmarking

As your authorized clerical agent, we gather facts about your cybersecurity program, benchmark disclosure language against peer 10-Ks and SEC-flagged deficiencies, and build a say-do gap analysis.

03

Grounded drafting

The Item 106 disclosure is drafted from your validated data and the SEC rule pack into field-locked templates — no legal opinions, no invented facts. Incident war-room materials are pre-positioned for rapid assembly.

04

Deterministic completeness gates

Every required element is checked: risk management description, board oversight, management role, incident disclosure triggers, say-do consistency, and peer benchmarking. Any failure blocks release.

05

Outside securities counsel review

A qualified outside securities counsel reviews the draft disclosure and makes every materiality and disclosure-content judgment. High-value or complex incidents route to additional attorney review.

06

Delivery

You receive the engagement pack: filed-ready Item 106 disclosure, say-do gap report, peer benchmarking analysis, incident materiality war-room playbook, and a 12-month calendar for updates — ready for your disclosure controls committee to review and file.

The bar we hold

Rigor you can measure.

100%
Outside counsel-reviewed
No disclosure ships without a securities attorney's sign-off.
5 days
Standard SLA for annual disclosure
From complete intake to released engagement.
<1%
Critical-defect target
Tracked against a gold-standard disclosure library.
4
Benchmark sources
Peer 10-Ks, SEC enforcement actions, staff guidance, and your actual program documentation.
Why the SEC Cybersecurity Desk

Built to be the most thorough option a reporting company has.

Documentation-complete, by design

The deliverable is completeness itself — every Item 106 element and benchmark accounted for or explicitly exception-coded. Nothing is left implicit.

Deterministic, not vibes

The gates that decide completeness are code, not a model's opinion. A drafting error cannot slip past a regulatory requirement.

In its lane, on purpose

We prepare documentation and run benchmarks as your clerical agent. We never make materiality determinations, give legal advice, or file disclosures on your behalf.

Engagement

Flat fee, per engagement. No contingency, ever.

Simple, predictable, and aligned with a documentation standard — not a cut of any recovery.

  • A free Gap Scan before you commit — see exactly what is missing.
  • One flat fee per annual Item 106 disclosure engagement; disclosed pass-through costs for outside counsel review.
  • Optional incident war-room retainer for on-call materiality assessment and 8-K drafting support.
  • Optional multi-year retainer for consistent year-over-year disclosure improvement and enforcement trend tracking.
FAQ

Questions, answered precisely.

Is the SEC Cybersecurity Desk a law firm?
No. The SEC Cybersecurity Disclosure & Materiality Desk, a service of Your Deputy, Obuke LLC, provides documentation-completeness services. It is not a law firm, does not provide legal advice, and does not represent you in any legal matter. Outside securities counsel review is included in every engagement and is required for all materiality determinations.
Do you make materiality determinations or file disclosures?
Never. Materiality determinations are made by your disclosure controls committee and outside securities counsel. We prepare the supporting documentation and draft language for your review. The company retains final legal responsibility for all filings.
What makes an engagement 'complete'?
Completeness is defined by the SEC rules: all Item 106 elements present, peer benchmarking resolved, say-do gaps identified and remediated, and outside counsel sign-off obtained. Deterministic gates enforce each one before release.
How fast is it?
The standard SLA for annual Item 106 disclosure is five business days from complete intake to a specialist-released engagement. The free Gap Scan is returned much sooner and tells you exactly what is still needed.
How are you priced?
A flat fee per annual disclosure engagement, plus disclosed pass-through costs for outside counsel review. No contingency and no percentage of any avoided penalty or settlement.

See what's missing before it costs you a penalty.

Start with a free Gap Scan. Send your prior-year 10-K and current cybersecurity program documentation and we'll return a completeness read against every element of Item 106 and Item 1.05.

Documentation-completeness service · not legal advice · the company retains final filing responsibility.