The Gap No One Is Talking About

What Small-Cap Mining and Critical Minerals Companies Need Before the SEC Comes Asking

The Gap No One Is Talking About

There is a question circulating in SEC enforcement circles that most small-cap mining and critical minerals executives have never been asked — and have no documented answer to:

“Who in your organization determines whether a cybersecurity incident is material under SEC rules — and how did they make that call?”

This isn’t a question for your IT team. It isn’t a question for your managed service provider. Under the SEC’s cybersecurity disclosure rules, the materiality determination is a legal and financial judgment — and it belongs to the CFO and General Counsel, supported by a documented, repeatable process.

Most small-cap companies in the mining, natural resources, and defense-adjacent space don’t have that process. Not because they’re negligent — but because no one told them it existed, or that it was their responsibility to own it.

That’s the governance gap. And it’s widening.

Why Small-Cap Extractive and Defense-Adjacent Companies Are Specifically Exposed

Large-cap energy and mining companies have legal departments, compliance officers, and dedicated cybersecurity governance teams. They have been preparing for — and in many cases, helping shape — the SEC’s evolving disclosure requirements for years.

Small-cap companies are in a structurally different position. They are:

• Operating with lean executive teams where the CFO often wears multiple hats

• Dependent on third-party IT providers who are not trained in SEC materiality standards

• Increasingly targeted by nation-state actors and ransomware groups specifically because of their role in critical mineral supply chains

• Subject to the same SEC disclosure obligations as large-cap peers — without the same infrastructure to support them

The defense-adjacent dimension adds another layer of exposure. Companies involved in critical mineral extraction — lithium, rare earth elements, uranium, copper — are integral to defense supply chains. That makes them high-value targets and means their cyber risk posture is scrutinized not just by the SEC, but increasingly by defense primes and institutional investors with ESG and national security mandates.

The risk isn’t theoretical. It’s operational, reputational, and financial — and it arrives faster than most small-cap boards expect.

What “Defensible” Actually Means Under Reg S-K Item 106 and Form 8-K Item 1.05

The SEC’s cybersecurity disclosure rules, effective for most public companies beginning in 2024, created two distinct obligations that small-cap companies often conflate or misunderstand.

Reg S-K Item 106 — Annual Disclosure

This requires public companies to describe, in their annual 10-K filing, how they assess, identify, and manage material risks from cybersecurity threats. It also requires disclosure of whether cybersecurity risks have materially affected — or are reasonably likely to materially affect — business strategy, results of operations, or financial condition. This is a governance narrative. It demands that you describe a process, not just assert that one exists.

Form 8-K Item 1.05 — Incident Disclosure

This requires companies to disclose material cybersecurity incidents within four business days of determining that a material incident has occurred. The four-day clock starts not when the incident happens — but when you determine it is material. That determination requires a documented process. Without one, companies either delay disclosure (SEC enforcement risk) or over-disclose (market risk).

“Defensible” means that if the SEC reviews your disclosure — or your non-disclosure — you can demonstrate that a qualified executive made a reasoned materiality determination, supported by documented criteria, within an appropriate timeframe. It means your CFO and General Counsel can sit across from an enforcement attorney and walk through exactly how the decision was made.

A checklist signed by your IT director does not meet that standard. A governance framework built for your company’s specific risk profile does.

The Capital Markets Dimension: How Investors Are Reading Your Disclosure Posture

Institutional investors in the mining and critical minerals space are sophisticated readers of SEC filings. They have seen the evolution of cybersecurity risk disclosure from boilerplate to substance, and they are beginning to treat governance gaps as material risk factors — not just compliance deficiencies.

For small-cap companies seeking to attract institutional capital, the quality of your cybersecurity governance disclosure signals several things simultaneously:

• Management maturity — do your executives understand the regulatory environment they operate in?

• Operational resilience — is the company prepared to identify, contain, and disclose an incident without creating secondary liability?

• Governance culture — does the board exercise meaningful oversight of cyber risk, or is it delegated entirely to management?

For companies in the critical minerals and defense supply chain space, there is an additional consideration: strategic investors and defense primes conducting due diligence increasingly include cybersecurity governance as a threshold criterion. A company that cannot demonstrate a defensible disclosure framework may find itself excluded from capital raises, joint ventures, or government-adjacent contracts — not because of a breach, but because the governance structure to manage one doesn’t exist on paper.

Cybersecurity governance is no longer a back-office concern. It is part of the story you tell the market.

What a Governance Framework Looks Like in Practice

A cybersecurity governance framework built for SEC compliance is not a technology project. It does not require new software, a larger IT budget, or a security operations center. What it requires is clarity: about who owns what decisions, how those decisions are made, and how the process is documented.

The core components for a small-cap company include:

• A materiality determination protocol that defines the criteria and process by which the CFO and General Counsel assess whether an incident triggers Form 8-K Item 1.05 disclosure

• An incident escalation path that connects the IT or MSP layer to executive decision-makers within a defined timeframe

• Board-level oversight documentation showing that cyber risk is a standing agenda item and that the board receives regular, substantive briefings

• Annual disclosure language for Item 106 that accurately reflects the company’s actual risk management process — not generic boilerplate

• A tabletop exercise cadence that tests the materiality determination process before an incident occurs

None of this is theoretical. It is practical governance work that a small-cap company can implement without a large internal team — if they have the right advisory support to build it correctly the first time.

The companies that build this framework before an incident are the ones that control their own narrative when an incident happens. The ones that don’t are the ones scrambling to explain their process — or lack of one — to the SEC, to their board, and to the market.

At Sturnella, we work with small-cap mining, natural resources, energy, and defense-adjacent companies to build cybersecurity governance frameworks that are defensible, practical, and built to withstand SEC scrutiny.

We’re based in Wyoming because that’s where a significant part of this story is being written — in the critical mineral belts, the uranium fields, and the energy corridors of the American West. We believe the companies doing this work deserve access to governance advisory that meets them where they are, not where Wall Street assumes they should be.

If you’re a CFO, General Counsel, or Audit Committee Chair at a small-cap public or pre-IPO company in this space — and you’re not sure you have a defensible answer to the question at the top of this article — we’d like to talk.