17 CFR Part 229 Explained: Regulation S-K, SEC Disclosure Rules, Business Description, Risk Factors, MD&A, Cybersecurity, Executive Compensation, Exhibits, and Public Company Reporting
Executive Summary
17 CFR Part 229 is Regulation S-K. It contains the SEC’s standard instructions for the non-financial statement portions of registration statements, annual reports, periodic reports, proxy statements, tender offer materials, going-private transaction statements, and other SEC filings under the Securities Act of 1933 and the Securities Exchange Act of 1934.
For clients, Regulation S-K matters because it governs much of what public companies, companies going public, issuers raising capital, SPACs, de-SPAC companies, public company acquisition targets, executives, boards, audit committees, and disclosure teams actually say to investors.
If Regulation S-X is the SEC’s financial statement rulebook, Regulation S-K is the SEC’s narrative disclosure rulebook.
It covers business descriptions, properties, legal proceedings, risk factors, cybersecurity, market information, securities descriptions, MD&A, accountant changes, market risk, executive compensation, related-party transactions, corporate governance, use of proceeds, selling security holders, exhibits, undertakings, industry disclosures, asset-backed securities, oil and gas, mining, roll-up transactions, bank holding companies, and SPAC/de-SPAC disclosures.
This is the rule set that matters when the question becomes:
What does a company have to disclose, how specific must the disclosure be, and when does incomplete or misleading narrative disclosure become a securities law problem?
Regulation S-K applies to the content of the non-financial statement portions of Securities Act registration statements and Exchange Act registration statements, annual reports, periodic reports, going-private statements, tender offer statements, annual reports to security holders, proxy and information statements, and other Exchange Act filings, to the extent provided in the applicable forms and rules.
1. What Is 17 CFR Part 229?
17 CFR Part 229 is titled “Standard Instructions for Filing Forms Under Securities Act of 1933, Securities Exchange Act of 1934 and Energy Policy and Conservation Act of 1975, Regulation S-K.” Most securities lawyers, public company counsel, auditors, bankers, and disclosure professionals simply call it Regulation S-K.
Regulation S-K provides the standard disclosure requirements for the narrative and non-financial statement portions of many SEC filings. It works together with:
the Securities Act of 1933;
the Securities Exchange Act of 1934;
Regulation S-X;
Regulation S-T;
SEC forms;
SEC interpretive releases;
SEC staff guidance;
stock exchange rules;
GAAP;
PCAOB standards;
and the federal securities anti-fraud rules.
Regulation S-K is where much of the company’s story is told. It governs how the company describes its business, risks, legal proceedings, securities, financial condition, results of operations, governance, executive pay, related-party transactions, exhibits, and specialized industry matters.
2. Why Regulation S-K Matters
Disclosure is one of the main pillars of federal securities law. A company may have accurate financial statements, but still have a disclosure problem if its narrative disclosures are incomplete, stale, generic, misleading, or inconsistent with what management actually knows.
Regulation S-K comes up in:
IPO registration statements;
Form S-1 filings;
Form S-3 shelf registration statements;
Form S-4 merger registration statements;
Form 10 registration statements;
Form 10-K annual reports;
Form 10-Q quarterly reports;
Form 8-K current reports;
proxy statements;
tender offer materials;
going-private transactions;
de-SPAC filings;
resale registration statements;
Regulation A offering statements;
public company M&A;
executive compensation disclosure;
cybersecurity disclosure;
risk factor drafting;
MD&A drafting;
legal proceedings disclosure;
related-party transaction disclosure;
exhibit filing analysis;
and SEC comment letter responses.
For clients, this matters because Regulation S-K is disclosure architecture. The question is not only whether the company has included a section called “Risk Factors” or “MD&A.” The question is whether the disclosure gives investors the material information they need and does not mislead them.
3. Where Regulation S-K Fits in the SEC Framework
Together, S-K and S-X form the backbone of SEC disclosure. Regulation S-X tells companies what financial statements and related financial information must be filed. Regulation S-K tells companies what narrative disclosures must accompany those financial statements. A strong SEC filing usually requires both. The numbers and the narrative must tell a coherent story.
4. What Regulation S-K Covers
Regulation S-K is broad. It includes disclosure requirements across several major categories.
General Disclosure Rules
Regulation S-K begins with general instructions, including Item 10. Item 10 explains the application of Regulation S-K and includes SEC policies on projections, security ratings, non-GAAP financial measures, and smaller reporting company status.
This matters because many disclosure problems start with general presentation issues:
Is the company using projections responsibly?
Are non-GAAP measures presented with equal or greater prominence to GAAP?
Are risk factors specific or generic?
Are ratings properly described?
Is the company eligible for smaller reporting company scaled disclosure?
Are electronic filing rules under Regulation S-T being followed?
The eCFR text expressly notes that Regulation S-K should be read with Regulation S-T for electronic filings because many paper-format provisions are superseded for documents required to be filed electronically.
Business and Operational Disclosure
Regulation S-K includes rules requiring disclosure about the registrant’s business, properties, legal proceedings, mine safety matters, risk factors, and cybersecurity.
Important provisions include:
Item 101: Description of business;
Item 102: Description of property;
Item 103: Legal proceedings;
Item 104: Mine safety disclosure;
Item 105: Risk factors;
Item 106: Cybersecurity.
These are the sections that often explain what the company does, what risks it faces, what litigation or regulatory proceedings matter, and how governance and management address key risks.
Securities and Market Information
Regulation S-K includes rules on market information, holders, dividends, equity compensation plans, performance graphs, and descriptions of securities.
Important provisions include:
Item 201: Market price of and dividends on common equity and related stockholder matters;
Item 202: Description of registrant’s securities.
These items matter in public company reporting, registration statements, resale filings, and investor-facing disclosure.
Financial Information Outside the Financial Statements
Regulation S-K includes disclosure rules that sit near the financial statements but are not themselves the financial statements.
Important provisions include:
Item 302: Supplementary financial information;
Item 303: Management’s Discussion and Analysis of Financial Condition and Results of Operations;
Item 304: Changes in and disagreements with accountants;
Item 305: Quantitative and qualitative disclosures about market risk.
MD&A is one of the most important sections in any public company filing. It is where management explains the company’s financial condition, liquidity, capital resources, results of operations, known trends, uncertainties, and critical accounting estimates.
Management, Governance, and Compensation
Regulation S-K also governs disclosure about directors, officers, executive compensation, beneficial ownership, related-party transactions, corporate governance, and shareholder matters. These disclosures are central to proxy statements, annual reports, executive compensation review, board governance, investor relations, and shareholder voting.
Exhibits, Undertakings, and Specialized Disclosure
Regulation S-K also includes requirements for exhibits, undertakings, industry guides, asset-backed securities, oil and gas, mining, roll-up transactions, bank holding companies, and SPAC/de-SPAC disclosures. This matters because SEC filings are not just narrative text. Exhibits, consents, material contracts, certifications, schedules, and undertakings can become legally significant parts of the filing.
5. Item 101: Description of Business
Item 101 requires a description of the general development of the registrant’s business and the business done and intended to be done by the registrant and its subsidiaries.
The rule focuses on materiality. It requires disclosure of information material to understanding the development of the business and the business as a whole. The rule identifies topics that may need to be discussed, including material changes to business strategy, bankruptcy or receivership proceedings, material reclassifications, mergers, consolidations, acquisitions or dispositions of material assets, revenue-generating activities, key products or services, dependence on major customers, development efforts, trends in market demand, competitive conditions, material resources, government contracts, seasonality, government regulation, environmental regulation, and human capital resources.
For clients, Item 101 is where the company explains what it actually does. That sounds simple, but it often is not.
A fintech company may describe itself as a technology platform, but the business description may need to address regulated money movement, sponsor bank relationships, custody, payments, lending, brokerage, advisory, or other financial services activity.
An AI company may describe software capabilities, but the disclosure may need to explain limitations, dependence on data, model performance, regulatory risk, customer concentration, or whether the product is actually deployed.
A digital asset company may describe wallets, tokens, staking, stablecoins, custody, or exchange-like activity, but the disclosure needs to be precise enough to avoid overstating functionality or understating regulatory risk.
The business description should not read like marketing copy. It should read like a disciplined explanation of the business investors are actually being asked to evaluate.
6. Item 103: Legal Proceedings
Item 103 requires disclosure of material pending legal proceedings, other than ordinary routine litigation incidental to the business, involving the registrant, its subsidiaries, or their property. It also requires similar information for proceedings known to be contemplated by governmental authorities. The disclosure should include the court or agency, date instituted, principal parties, factual basis, and relief sought. This item is particularly important in regulated industries.
A company may need to assess disclosure of:
SEC investigations;
FINRA inquiries;
state regulator proceedings;
CFTC matters;
DOJ investigations;
CFPB matters;
bank regulator issues;
state money transmission investigations;
OFAC issues;
private securities litigation;
customer litigation;
employment claims;
whistleblower claims;
environmental proceedings;
bankruptcy or receivership matters;
and disputes involving officers, directors, affiliates, or major security holders.
The hardest part is often determining when a regulatory matter is material and when it is “known to be contemplated” by a governmental authority. Legal proceedings disclosure should be coordinated with litigation counsel, regulatory counsel, auditors, management, and the disclosure committee. It should also be consistent with risk factors, MD&A, financial statement contingencies, and public statements.
7. Item 105: Risk Factors
Item 105 requires a discussion of the material factors that make an investment in the registrant or offering speculative or risky. The discussion must be organized logically with relevant headings, and each risk factor should have a subcaption that adequately describes the risk. Generic risk factors are discouraged. If generic risk factors are included, they should appear at the end under the caption “General Risk Factors.” The rule also requires plain English, and if the risk factor section exceeds 15 pages, a short summary of principal risk factors must appear near the front.
Risk factors are one of the most important parts of a filing. They are also one of the easiest sections to make useless. Too many companies draft risk factors as defensive clutter. They list every imaginable risk in generic language, but they do not explain the actual risks facing the business.
A good risk factor answers four questions:
What is the risk?
Why does it matter to this company?
How could it affect the business, financial condition, results, prospects, or securities?
Has the risk already begun to materialize?
A risk factor that describes a hypothetical risk may be misleading if the risk has already occurred or is already affecting the company.
For AI, fintech, digital asset, public company, and financial services businesses, risk factors often need to address:
regulatory uncertainty;
licensing;
enforcement;
money transmission;
custody;
cybersecurity;
data privacy;
model risk;
customer concentration;
revenue concentration;
bank partner risk;
dependence on third-party providers;
liquidity;
capital constraints;
token or digital asset classification;
broker-dealer or investment adviser registration risk;
AML and sanctions;
conflicts of interest;
related-party transactions;
internal controls;
and ability to continue operations.
8. Item 106: Cybersecurity
Item 106 requires disclosure about cybersecurity risk management, strategy, and governance. It defines a cybersecurity incident as an unauthorized occurrence or series of related unauthorized occurrences on or through information systems that jeopardizes confidentiality, integrity, or availability. It requires companies to describe processes for assessing, identifying, and managing material risks from cybersecurity threats, whether those processes are integrated into overall risk management, whether third parties are used, and whether the company oversees cybersecurity risks from third-party service providers. It also requires disclosure about board oversight and management’s role in assessing and managing material cybersecurity risks.
Cybersecurity disclosure is now a core public company governance issue. For fintech, AI, digital asset, payments, brokerage, advisory, and financial services companies, cybersecurity is not only an IT issue. It may involve customer assets, trading systems, personal information, account access, wallet infrastructure, payment flows, confidential business information, third-party vendors, cloud infrastructure, and operational resilience.
Item 106 pushes companies to explain governance and process, not merely say that cybersecurity is important. That means boards and management teams need to understand what they are actually disclosing.
9. Item 303: MD&A
Item 303 governs Management’s Discussion and Analysis of Financial Condition and Results of Operations, commonly called MD&A.
The objective of MD&A is to provide material information relevant to assessing the company’s financial condition and results of operations, including the amount and certainty of cash flows from operations and outside sources. The discussion must focus on material events and uncertainties known to management that are reasonably likely to cause reported financial information not to be indicative of future operating results or future financial condition. MD&A is not supposed to be a repetition of the financial statements. It is supposed to be management’s explanation of the business through the financial results.
A good MD&A explains:
liquidity;
capital resources;
cash requirements;
known trends;
known uncertainties;
results of operations;
changes in revenue and expenses;
unusual or infrequent events;
material changes in costs and revenues;
critical accounting estimates;
segment issues;
off-balance sheet arrangements;
and whether historical results are likely to be indicative of the future.
For clients, MD&A is often where SEC disclosure risk becomes most real. The company cannot simply say revenue increased by a certain percentage. It usually needs to explain why. It cannot ignore known liquidity pressure. It cannot bury a trend management knows is material. It cannot present adjusted narratives that conflict with the financial statements.
10. Item 304: Changes in and Disagreements With Accountants
Item 304 requires disclosure when a company changes accountants, including whether the former accountant resigned, declined to stand for re-election, or was dismissed; whether prior audit reports contained adverse opinions, disclaimers, qualifications, or modifications; whether the decision was recommended or approved by the audit committee or board; and whether there were disagreements or reportable events. It also requires procedures involving letters from former and newly engaged accountants.
This is a sensitive area. Auditor changes can be routine. They can also signal serious issues. The market, SEC staff, audit committee, investors, and plaintiffs’ lawyers may pay close attention if a company changes auditors around the same time there are:
accounting issues;
internal control problems;
delayed filings;
restatements;
management representation concerns;
audit scope limitations;
disagreements over accounting treatment;
financial reporting concerns;
going concern issues;
or governance problems.
The rule interprets “disagreements” broadly. It does not require a dramatic fight. A difference of opinion at the decision-making level can matter if it would have caused the accountant to reference the subject matter in its report if unresolved.
11. Item 305: Market Risk Disclosure
Item 305 requires quantitative and qualitative disclosures about market risk. It covers market risk sensitive instruments, including derivative financial instruments, other financial instruments, and derivative commodity instruments. Registrants may use tabular presentation, sensitivity analysis, or value-at-risk disclosure methods, depending on the circumstances. The rule also requires qualitative discussion of primary market risk exposures and how those exposures are managed.
This is particularly important for companies exposed to:
interest rate risk;
foreign currency risk;
commodity price risk;
equity price risk;
derivatives;
swaps;
options;
futures;
structured notes;
mortgage-backed securities;
loans;
investments;
debt instruments;
and other financial market exposures.
For financial services, fintech, digital asset, lending, payments, banking, commodity, energy, and investment businesses, market risk disclosure can be a major part of the investor story.
12. Non-GAAP Financial Measures
Item 10 includes important rules on non-GAAP financial measures in SEC filings. When a registrant includes non-GAAP financial measures, it generally must present the most directly comparable GAAP measure with equal or greater prominence, provide a reconciliation, explain why management believes the non-GAAP measure is useful to investors, and disclose additional purposes for which management uses the measure if material. The rule also prohibits certain presentations, including presenting non-GAAP measures on the face of GAAP financial statements or in the accompanying notes, using confusingly similar titles, and certain improper adjustments.
This matters because non-GAAP measures are a frequent source of SEC comments and enforcement risk.
Companies often want to tell a cleaner story about performance. That impulse is understandable. But if the adjustment is misleading, overly prominent, inconsistently applied, poorly reconciled, or used to smooth recurring expenses, the disclosure can become a problem.
For startup-adjacent public companies, de-SPAC companies, fintech companies, SaaS businesses, AI companies, and digital asset businesses, non-GAAP disclosure is often a flashpoint because management may want to emphasize adjusted EBITDA, contribution margin, adjusted revenue, platform revenue, net revenue retention, free cash flow, or other metrics that do not appear directly in GAAP.
13. Smaller Reporting Companies
Regulation S-K includes scaled disclosure rules for smaller reporting companies.
Item 10 defines smaller reporting company status and identifies items where scaled disclosure may be available. A smaller reporting company generally includes an issuer that is not an investment company, asset-backed issuer, or majority-owned subsidiary of a non-smaller-reporting-company parent and that meets specified public float or revenue thresholds. The rule also includes annual determination mechanics and de-SPAC re-determination rules.
Smaller reporting company status can reduce burdens, but it does not eliminate disclosure obligations. A smaller company still must tell the truth. It still must avoid misleading disclosure. It still must disclose material risks. It still must explain liquidity. It still must be careful with related-party transactions, executive compensation, legal proceedings, non-GAAP measures, and material contracts. Scaled disclosure is not a license for thin disclosure.
14. How Regulation S-K Comes Up in Practice
I see Regulation S-K issues in nearly every serious securities disclosure project.
A company preparing to go public needs a business description that is accurate, investor-ready, and not promotional.
A fintech company needs to describe its regulated activities without creating unnecessary admissions or minimizing real regulatory risk.
An AI company needs to explain its product, risks, dependencies, limitations, and governance without overstating what the technology can do.
A digital asset company needs to describe tokens, custody, wallets, platforms, staking, or regulatory uncertainty with precision.
A public company needs to update risk factors because the risks have changed.
A company receives a subpoena and has to decide whether legal proceedings disclosure is required.
An issuer changes auditors and has to evaluate Item 304 disclosure.
A company wants to use aggressive non-GAAP metrics and needs to understand equal prominence, reconciliation, and misleading adjustment issues.
A board wants to know whether cybersecurity governance disclosure matches actual board practices.
A company’s MD&A says liquidity is sufficient, but internal forecasts suggest pressure.
A related-party transaction is known inside the company but not clearly disclosed.
A SPAC or de-SPAC company needs to manage a dense set of disclosure obligations, projections, conflicts, compensation, sponsor economics, dilution, financial statements, and risk factors.
These issues often arise under time pressure, with auditors, bankers, management, boards, and investors all paying attention.
15. Common Mistakes
Mistake 1: Treating Regulation S-K as a Checklist
A checklist helps, but it is not enough. Regulation S-K disclosure must be tailored, material, and not misleading.
Mistake 2: Using Generic Risk Factors
Generic risk factors are discouraged. The disclosure should explain the specific risk to the company or offering.
Mistake 3: Describing Risks as Hypothetical After They Have Already Occurred
If a risk has materialized, the disclosure should not pretend it is merely theoretical.
Mistake 4: Repeating Financial Statement Numbers in MD&A Without Analysis
MD&A should explain the reasons for material changes, known trends, liquidity, capital resources, uncertainties, and critical accounting estimates.
Mistake 5: Overusing Non-GAAP Measures
Non-GAAP measures must be presented carefully, reconciled properly, and not given improper prominence.
Mistake 6: Under-disclosing Government Regulation
For highly regulated companies, especially fintech, digital assets, financial services, AI, payments, brokerage, advisory, and money movement businesses, government regulation can be central to the business.
Mistake 7: Missing Cybersecurity Governance Gaps
Cybersecurity disclosure should match the company’s actual governance, reporting, and risk-management processes.
Mistake 8: Mishandling Auditor Change Disclosure
Item 304 disclosure can be sensitive and should be coordinated carefully with the former accountant, new accountant, audit committee, and SEC filing team.
Mistake 9: Ignoring Cross-Consistency
Business description, risk factors, MD&A, legal proceedings, financial statement notes, cybersecurity disclosure, and public statements should be consistent.
Mistake 10: Letting Marketing Language Creep Into Legal Disclosure
SEC disclosure should be clear and compelling, but it should not read like a sales deck.
16. Frequently Asked Questions
What is 17 CFR Part 229?
17 CFR Part 229 is Regulation S-K, the SEC’s standard disclosure regulation for the non-financial statement portions of many Securities Act and Exchange Act filings.
What is Regulation S-K?
Regulation S-K is the SEC’s narrative disclosure rulebook. It governs business descriptions, risk factors, MD&A, legal proceedings, cybersecurity, executive compensation, related-party transactions, governance, securities descriptions, exhibits, undertakings, and specialized disclosures.
How is Regulation S-K different from Regulation S-X?
Regulation S-X governs financial statements and related accounting requirements. Regulation S-K governs narrative and non-financial statement disclosure in SEC filings.
What does Item 101 require?
Item 101 requires disclosure about the general development and description of the registrant’s business, including material business developments, revenue-generating activities, products and services, government regulation, environmental regulation, and human capital resources.
What does Item 103 require?
Item 103 requires disclosure of material pending legal proceedings, other than ordinary routine litigation incidental to the business, and certain proceedings known to be contemplated by governmental authorities.
What does Item 105 require?
Item 105 requires disclosure of material risk factors that make an investment in the registrant or offering speculative or risky. Risk factors should be organized logically, specific to the company or offering, and written in plain English.
What does Item 106 require?
Item 106 requires cybersecurity disclosure covering risk management, strategy, governance, board oversight, and management’s role in assessing and managing material cybersecurity risks.
What does Item 303 require?
Item 303 requires MD&A disclosure explaining the company’s financial condition, results of operations, liquidity, capital resources, known trends, known uncertainties, material changes, and critical accounting estimates.
What does Item 304 require?
Item 304 requires disclosure about changes in and disagreements with accountants, including resignations, dismissals, reportable events, disagreements, audit committee involvement, and accountant letters.
What does Item 305 require?
Item 305 requires quantitative and qualitative disclosure about market risk, including risks related to interest rates, foreign currency exchange rates, commodity prices, equity prices, derivatives, financial instruments, and related exposures.
What are non-GAAP financial measures?
Non-GAAP financial measures are numerical measures of financial performance, financial position, or cash flows that adjust or differ from the most directly comparable GAAP measure. Regulation S-K includes specific rules on how they may be presented in SEC filings.
Why does Regulation S-K matter for fintech and AI companies?
Regulation S-K matters for fintech and AI companies because their business descriptions, risk factors, MD&A, cybersecurity disclosure, regulatory disclosure, non-GAAP metrics, and legal proceedings disclosure must accurately describe their business model, regulatory exposure, technology, risks, and financial condition.
17. How I Help Clients
I advise clients on SEC disclosure, securities regulation, financial regulatory law, public company reporting, private offerings, SEC and FINRA investigations, broker-dealer and investment adviser issues, digital assets, fintech, AI financial products, capital formation, internal investigations, and regulatory response.
In matters involving Regulation S-K, that work may include:
drafting and reviewing risk factors;
advising on MD&A disclosure;
reviewing business descriptions and regulatory disclosure;
advising on cybersecurity disclosure;
analyzing legal proceedings disclosure;
advising on non-GAAP financial measures;
reviewing public company filings;
preparing or revising offering disclosure;
advising on Form S-1, S-3, S-4, Form 10, Form 10-K, Form 10-Q, Form 8-K, and proxy statement disclosure;
counseling companies on auditor change disclosures;
reviewing related-party transaction and governance disclosure;
advising fintech, AI, digital asset, and financial services companies on regulatory disclosure;
responding to SEC comment letters;
conducting internal investigations involving disclosure issues;
and helping companies align legal disclosure with business reality.
The practical point is simple: Regulation S-K is where a company’s narrative becomes securities law disclosure. That narrative has to be accurate, specific, complete, and disciplined.
