SEC Item 106: Integrating Operational Technology into the Financial Risk Framework

Adopted in 2023, SEC Item 106 is a mandatory disclosure requirement within Regulation S-K that expands cybersecurity risk disclosure to include risks that may materially affect business operations, including operational technology where relevant. This regulation integrates industrial security into the corporate financial framework by

• requiring companies to disclose their cybersecurity risk management strategy and governance in Form 10-K (Item 1C) and
• triggering the rapid disclosure of material cybersecurity incidents on Form 8-K (Item 1.05) within four business days of a materiality determination.

Under these rules, organizations must describe their processes for identifying and managing cybersecurity risks that could materially affect business operations, including physical production systems.

Why it matters

OT security was often kept separate from financial reporting because it didn’t involve consumer credit card numbers or PII. Today, the SEC evaluates materiality based on the potential financial and operational impact of a cybersecurity incident, including effects on physical processes; if a cyber event can halt a production line or disrupt a power grid, it is a material financial risk that must be disclosed under Item 1.05 and analyzed under Item 106.

This mandate forces the end of siloed governance. Historically, IT and OT teams operated independently; now, Item 106(c) requires disclosure of how these functions are integrated into a single risk management system to ensure the integrity of physical processes across the entire enterprise.

Big Picture

Analysis of a sample of the 2024–2025 Fortune 1000 filings show a gap between what is expected by regulators and actual corporate reporting. Only 17% of filings provided granular data on material impact, while 40% of companies still rely on generic “boilerplate” language. Public disclosure speed currently averages 9 days after detection – a massive improvement over the 79.4-day average in 2021, but still slower than the SEC’s intent for rapid determination. This delay is often a visibility issue; KPMG reports that missing or overwritten logs affected nearly 50% of 2024 forensic investigations, making process-level monitoring a legal necessity for accurate disclosure.

Case Study: Halliburton and the New Materiality Standard

An August 2024 incident at Halliburton served as an early real-world test of these rules. The energy services provider disclosed “unauthorized access” within 24 hours of discovery, showing a shift toward rapid, proactive reporting.

Why this matters for Risk & Response

This case demonstrated that for industrial firms, materiality is now determined by operational integrity. Halliburton’s decision to take systems offline to prevent lateral movement from IT to OT networks highlights a new reality: incident response plans must now account for operational uptime and safety when assessing materiality and regulatory disclosure obligations.

Materiality is no longer just about data loss; it is measured by:

• Manual Resilience: The effectiveness of “manual workarounds” during a disruption.
• Operational Impact: Whether a breach halts physical production or energy delivery.
• Long-term Trust: The potential for permanent changes in customer behavior following a disruption.

Process-Oriented OT Cybersecurity and Incident Forensics

SEC Item 106 requires companies to determine whether a cyber incident materially affected operations. In industrial environments, that determination depends on process-level forensics – records of how physical systems actually behaved during an event.

Process-oriented OT cybersecurity preserves independent evidence of process inputs, outputs, and state changes, allowing organizations to confirm whether an attack altered production or safety, even if control systems or logs were compromised. This evidence enables faster, defensible materiality decisions and timely Form 8-K reporting.

Bottom Line: Compliance in 2026 and Beyond

The era of “voluntary” OT security is over. As we enter 2026, the SEC’s Inline XBRL mandate for cybersecurity disclosures applies to annual reports for fiscal years ending on or after December 15, 2024. Inline XBRL is a technology that “tags” specific parts of a financial report with machine-readable code. This allows investors and regulators to use automated tools to compare:

1. OT Resilience: How different companies across entire sectors describe their risk management.
2. Response Benchmarks: The actual time it takes for a company to move from “detection” to a “materiality determination.”

For industrial organizations, the SEC’s mandate is clear: Risk assessment must include the physical shop floor, and Incident Response must be rapid and transparent. If your physical processes can be hacked, your investors have a financial right to know exactly how you are defending them – and exactly what failed when you didn’t.