The SEC Cyber Disclosure Cascade: Why Your Enterprise Client Just Sent You a 40-Page Security Questionnaire

If you sell to public companies and you have not been hit by a giant security questionnaire in the last 18 months, you will be. If you have, you know the pattern: 200 to 600 questions, three weeks to respond, written by someone in third-party risk management who has never met your company.

The questionnaires are not a fluke and they are not going to shrink. They are the downstream effect of an SEC rule that took effect in late 2023, and the cascade has not finished propagating. This post walks through what the SEC required, how public companies translated it into vendor questionnaires, why they keep getting longer, and what an SMB should do.

What the SEC actually required¶

In July 2023 the SEC adopted final rules on cybersecurity risk management, strategy, governance, and incident disclosure. The two pieces SMB owners need to know by name:

Item 1.05 of Form 8-K: incident disclosure¶

Public companies must disclose a material cybersecurity incident on Form 8-K within four business days of determining the incident is material. The disclosure must describe nature, scope, timing, and material impact (or reasonably likely material impact). There is a narrow national security carve-out coordinated with the US Attorney General.

The word that matters is “material.” Companies do not have four business days from discovery. They have four business days from the materiality determination, which must be made without unreasonable delay. The SEC has signaled it will second-guess foot-dragging on that determination.

Regulation S-K Item 106: annual governance disclosure¶

Codified at 17 CFR § 229.106. Public companies must describe in their annual 10-K filings:

• Their processes for assessing, identifying, and managing material cybersecurity risks
• Whether and how those processes are integrated into overall risk management
• Whether they engage third-party assessors, consultants, or auditors on cybersecurity
• Their oversight of cybersecurity risks from their use of third-party service providers (vendors)
• The board’s oversight of cybersecurity, including which committee handles it
• Management’s role and expertise in assessing and managing material cybersecurity risks

That fourth bullet is where SMB vendors enter the story.

The 2024 and 2025 fiscal years were the first two annual cycles under Item 106. Investors, plaintiff lawyers, and regulators are reading the disclosures. Each year’s disclosure sets the floor for the next.

How public companies translate this into vendor questionnaires¶

A public company subject to Item 106 cannot honestly disclose “we oversee third-party cybersecurity risk” without an actual program. The cheapest, most legally defensible program is a vendor questionnaire pipeline plus contractual security addenda. Hence the questionnaires hitting SMB inboxes.

The translation:

1. The TPRM (third-party risk management) team builds or licenses a questionnaire (often SIG, SIG Lite, CAIQ, or a custom one).
2. It is sent to every vendor at onboarding and periodically (usually annual for high-risk vendors).
3. Responses are scored and used as the evidence record for the Item 106 disclosure.
4. If a vendor breaches and the public company suffers a material incident, the questionnaire history is the public company’s defense at the SEC, in litigation, and to its own board.

A 40-question questionnaire is harder to defend in deposition than a 400-question one. The legal team optimizes for defensibility; the SMB vendor pays the cost.

Why the questionnaires are getting longer, not shorter¶

2024 saw credible predictions that the industry would standardize and shrink. Standardization happened, somewhat. Shrinkage did not.

Three reasons:

1. Each enforcement action ratchets the floor¶

SEC enforcement actions since 2024 have set the precedent that vague governance disclosures attract scrutiny. The SolarWinds case (filed October 2023, partially dismissed in 2024 with certain claims proceeding) put public companies on notice that their cybersecurity statements would be litigated. Each subsequent action becomes a footnote in the next questionnaire iteration.

2. AI and supply-chain incidents added question categories¶

2024 and 2025 saw rapid AI adoption, third-party LLM integration, and several headline-grade supply-chain incidents. Each became a new section (AI governance, model risk, software bill of materials, supplier breach notification). Sections get added; they almost never get removed.

3. State and sectoral rules layered on top¶

NYDFS Part 500 amendments, FTC Safeguards Rule updates, NAIC Insurance Data Security Model Law adoptions, and state privacy laws all added control expectations. Public companies operating across jurisdictions ask one questionnaire that covers all of them.

The trajectory through 2026-2028 is for questionnaires to keep inflating, with SIG/CAIQ adding versions annually.

What an SMB vendor should actually do¶

When a 400-question SIG lands in your inbox, the natural reactions are to panic-fill or stall. Both are mistakes. Triage instead.

Triage rule 1: not every questionnaire is worth answering¶

A questionnaire from your largest client representing $500K of annual revenue is worth 40 hours of work. One from a prospect who has not signed anything and is “evaluating vendors” is worth zero. Ask which it is before committing time. The signal: is there an executed contract, NDA, or PO? If not, the questionnaire may be a polite stall.

Triage rule 2: bucket the questions¶

The first pass takes an hour or two. Most questions fall into three buckets:

• Yes/no where the honest answer is yes (MFA, written policies, encryption at rest). Answer immediately.
• Yes/no where the honest answer is no (SOC 2 Type II, dedicated CISO, formal threat modeling). Answer honestly and write one sentence on the compensating control or roadmap.
• Essay questions requiring new policy or evidence (full incident response plan, vendor risk policy, data classification). These take real time.

Most questionnaires have 60-75% of questions in the first two buckets. The third bucket is where your written policies, if you have them, save the most time.

Triage rule 3: know when to push back¶

Some questions are inappropriate for your size. A SIG question asking for the name of your CISO when you are a 12-person company is not asking for a lie. It is asking who is accountable for security. The right answer is “the owner, Jane Smith, who holds equivalent functional responsibility.” Use the comment field. Do not check no and walk away.

If a TPRM team rejects a substantively answered questionnaire on size-inappropriate grounds, that is a signal the buyer does not actually want SMB vendors. Better to know now.

Triage rule 4: build the artifacts once, reuse them¶

Every questionnaire asks for the same 12-15 documents in different orders. Information Security Policy, Acceptable Use Policy, Incident Response Plan, Vendor Risk Policy, Data Retention Policy, Business Continuity Plan, Backup Policy, BYOD Policy, Onboarding/Offboarding, Access Control, Encryption Standards, Patch Management, Risk Assessment, SOC 2 if applicable, list of subprocessors.

Written down once, every future questionnaire is mostly a routing exercise. Otherwise every one is a fresh marathon.

(Many of these questionnaires map cleanly to our Cyber Essentials bundle, but the deeper answer is governance, not paperwork.)

What an SMB should not do¶

Lie. Lying on a vendor questionnaire is grounds for contract termination and, depending on the contract, indemnification claims if the public company later suffers an incident attributable to the misrepresented control. Buyers respect honest no answers with compensating-control explanations. They do not respect yes answers that turn out to be no in forensics.

Buy a SOC 2 Type II because one questionnaire asks for it. A SOC 2 is a $40K to $100K commitment with a 12-month observation window. Do it because you have a sustained pipeline of clients asking for it. SOC 2 Type I, Cyber Essentials Plus, or HITRUST e1 are cheaper signals that may satisfy the buyer.

Outsource answers to a generic compliance consultant who does not know your business. The questionnaire is asking what your controls actually are. Answers that sound right will fall apart on follow-up calls. Someone inside the company who knows what is true must sign off on the final responses.

What to actually do this quarter¶

1. If you serve public-company clients, write down the 12-15 core policies once. The next questionnaire becomes a copy-paste exercise.
2. Triage every incoming questionnaire by economic commitment before you commit response time.
3. Answer no honestly where it is no. Use the comment field for compensating controls.
4. If you have no written policies and a questionnaire is in your inbox right now, prioritize the four that show up everywhere: Information Security Policy, Acceptable Use Policy, Incident Response Plan, Vendor Risk Policy. Those four cover roughly 40% of the typical questionnaire by question count.
5. Set an internal threshold for the revenue at which you will pursue a SOC 2 or equivalent. That number usually starts mattering between $500K and $2M of public-company-segment revenue.

The cascade is not slowing down. The questionnaires will keep arriving and keep getting longer. The SMBs that come out of this in the strongest position are the ones who built the policy foundation once, treated the questionnaires as sales qualification rather than panic, and were willing to say no clearly when a control was not in place.