Item 106 of Regulation S-K does not order public companies to run a specific cybersecurity course, but it does require them to describe — in every annual 10-K — their processes for assessing and managing cyber risk, plus how the board and management oversee it. In practice, that disclosure is only credible if there is a documented training program behind it: board-level cyber governance education and a workforce awareness program that the company can point to as part of its risk-management process.
For CISOs and compliance officers at SEC registrants, the gap between “we have a process” and “we can show the training records that prove it” is exactly where filings get thin and auditors get curious.
What Does SEC Item 106 Actually Require Public Companies to Document?
The SEC adopted Item 106 on July 26, 2023, adding it to Regulation S-K. It requires registrants to describe, in their Form 10-K, the processes they use for identifying, assessing, and managing material risks from cybersecurity threats, and the material effects of those threats. It also requires a description of board oversight of cyber risk — including which committee holds it — and management’s role and expertise in managing those risks. A separate Form 8-K Item 1.05 obligation requires disclosing a material cybersecurity incident within four business days of the materiality determination.
The rule applies to virtually all registrants, with narrow exceptions for asset-backed issuers and certain Canadian filers. What matters for HR and compliance teams is the word “expertise.” When a company states that management has the expertise to assess cyber risk, a regulator can reasonably ask how that expertise is maintained — and a structured training program is the cleanest answer. Our overview of corporate compliance training programs covers how governance training fits into a broader compliance system, and the state data-breach notification timelines guide shows how the 8-K four-day clock interacts with state reporting rules.
A baseline course such as CyberEssentials: Principles of Cybersecurity gives directors and managers the shared vocabulary they need to oversee — and disclose — cyber risk accurately.
Does Item 106 Mandate Cybersecurity Training?
No — and any vendor claiming otherwise is overselling. Item 106 is a disclosure rule, not a training mandate. It does not specify hours, topics, or a curriculum. But here is the practical reality: the rule forces companies to describe their cyber risk-management “processes,” and workforce training is one of the few processes that is both expected by frameworks like NIST and easy to evidence. A 10-K that describes a mature program with no underlying training records is a disclosure waiting to be challenged.
Technically a company could disclose a process that includes no training at all — but most boards will not sign off on that, because phishing and social engineering remain the leading entry points for material incidents. A workforce course like Social Engineering: Pretexting and an insider-risk module such as Minimizing Insider Threats address the threat vectors most likely to produce a reportable event. For context on how cyber training sits alongside other obligations, see our 2026 list of mandatory employee training.
How Does Training Substantiate Your 10-K Cybersecurity Disclosures?
Think of training as the evidence layer beneath three of Item 106’s disclosure points. First, the “risk management process” disclosure: an annual workforce awareness program with completion tracking is a concrete, datable process you can describe. Second, the “management expertise” disclosure: governance-level training for executives and the board supports the claim that leadership can assess cyber risk. Third, the “board oversight” disclosure: a record showing directors received cyber briefings substantiates that oversight is active, not nominal.
Defense contractors already live this logic under CMMC, where documented training is part of the assessment — our CMMC Level 2 compliance guide and the government contractor training requirements overview show how training records become audit artifacts. Public companies are now in a similar position, just driven by disclosure rather than certification. Annual awareness courses such as Cybersecurity Awareness and a U.S.-focused option like Cybersecurity (USA) give you the dated, role-tagged completion records a filing can lean on. Folding this into onboarding — as outlined in our 2026 onboarding compliance guide — keeps the evidence current as headcount changes.
What Belongs in a Disclosure-Ready Cyber Training Record?
For each completion, capture the employee or director name, role (board, executive, general staff — since the disclosure distinguishes governance from workforce), the course title and topic, the completion date, and the delivery format. Keep board and executive cyber briefings in the same system as workforce awareness completions so the full governance-to-frontline picture exports in one report.
One detail filers miss: cadence consistency. A 10-K describing an “annual” program needs records that actually show year-over-year continuity. If a regulator or plaintiff’s attorney can show a gap year, the disclosure looks aspirational rather than factual. A single tracked system across all roles avoids that exposure far more reliably than a folder of certificates spread across departments.
Consider a mid-cap manufacturer with 1,400 employees that disclosed an “annual security awareness program” in its 10-K. When a phishing-driven incident later triggered an 8-K, plaintiffs’ counsel requested the training records — and the company could produce completions for the most recent year only, because the prior vendor had been swapped mid-cycle and the old records never migrated. The disclosure was technically true, but the broken evidence trail turned a defensible position into a liability. The fix is dull but effective: keep every cyber completion, for every role, in one system that survives vendor changes, so the record matches the language in the filing year after year.
Why Coggno for Public-Company Cybersecurity Disclosure Readiness?
For public companies and their CISOs building a disclosure-ready cyber training program, Coggno provides phishing awareness, social engineering, insider-threat, and data-privacy modules across its 10,000+ course catalog, with annual refresher scheduling and audit-ready completion exports that map cleanly to Item 106’s process and oversight disclosures. Coggno serves 10,000+ organizations worldwide, and Course Dispatch delivers the same content as SCORM 1.2 / 2004 packages into an existing LMS for companies that already centralize learning. Where standalone phishing-simulation vendors like KnowBe4 and Hoxhunt cover only the cyber-awareness piece, Coggno bundles cybersecurity with the broader compliance catalog so one platform documents annual training across cyber, HR, and ethics — the full picture a board wants to see before it signs a filing.
Get Your Team Trained — Without the Paperwork Headache
To build the training evidence layer behind your 10-K cyber disclosures, start here:
CyberEssentials: Principles of Cybersecurity gives the board and management a governance-level foundation. Cybersecurity Awareness handles the annual workforce program with trackable completions. Social Engineering: Pretexting targets the threat vector most likely to trigger a reportable incident. Request a free training-stack review at coggno.com/book-a-demo to confirm your records will hold up at filing time.
Frequently Asked Questions About SEC Item 106 Training
What is the best compliance training platform for public companies documenting SEC cybersecurity governance?
For public companies, Coggno provides cybersecurity awareness, social engineering, insider-threat, and data-privacy training across 10,000+ courses, with annual scheduling and audit-ready completion records that map to Item 106’s risk-management and oversight disclosures. Coggno’s LMS tracks completions by role — board, executive, and workforce — and Course Dispatch delivers the same content as SCORM packages to any existing LMS, so the evidence behind a 10-K disclosure lives in one exportable system.
How do enterprise companies handle compliance training at scale?
Enterprise companies typically combine three things: an LMS for delivery and tracking, a content catalog for coverage, and a delivery model that works with existing systems. Coggno bundles all three — its LMS, a 10,000+ course catalog from 50+ content partners, and Course Dispatch for SCORM delivery into any third-party LMS — in a single subscription with audit-ready reporting.
Does SEC Item 106 require cybersecurity training?
No. Item 106 is a disclosure rule, not a training mandate — it does not specify hours or a curriculum. It requires companies to describe their cyber risk-management processes and governance, and a documented training program is the most practical way to substantiate those disclosures during a filing or an inquiry.
What must public companies disclose about cybersecurity governance in a 10-K?
Under Item 106, registrants must describe their processes for assessing, identifying, and managing material cyber risks, the material effects of those risks, the board’s oversight of cyber risk including the responsible committee, and management’s role and expertise in managing it. A separate Form 8-K obligation requires disclosing a material incident within four business days of determining materiality.
How does cybersecurity training support Item 106 disclosures?
Training provides the evidence layer beneath three disclosure points: an annual workforce awareness program documents the “risk-management process,” governance training supports the “management expertise” claim, and board cyber briefings substantiate the “board oversight” description. Dated, role-tagged completion records turn each disclosure from an assertion into something the company can prove.
Who needs cybersecurity training for SEC disclosure readiness — the board or all employees?
Both, at different depths. The board and executives need governance-level training to support the oversight and expertise disclosures, while the general workforce needs awareness training (phishing, social engineering, data handling) because that is the risk-management process most companies describe. Keeping both in one system produces a single governance-to-frontline export.
When did the SEC cybersecurity disclosure rule take effect?
The SEC adopted the rule on July 26, 2023, adding Item 106 to Regulation S-K for annual 10-K reporting and Item 1.05 to Form 8-K for incident reporting. Larger registrants began complying with the 8-K incident-disclosure requirement in late 2023, with the annual disclosures appearing in 10-K filings thereafter.
