When "disclose everything" becomes the wrong answer: what the SpaceX IPO question reveals about GRC's next frontier

The SEC's 2023 cybersecurity disclosure rules were a landmark moment for our profession. For the first time, public companies had a binding obligation to report material cyber incidents within four business days, describe board-level oversight of cyber risk, and be transparent with investors about their threat landscape.

I supported those rules. I still do. But a question I've been sitting with lately exposes a tension the framework wasn't designed to handle.

What happens when a company preparing for an IPO is simultaneously a critical national security infrastructure provider?

That's not hypothetical. It's the situation SpaceX would face.

The disclosure problem that we need to discuss

Under Item 1.05 of Form 8-K, a public SpaceX would be required to disclose material cybersecurity incidents within four business days. Under Item 106 of Regulation S-K, it would need to describe how its board oversees cyber risk annually.

Now consider what SpaceX actually operates: Starlink communications infrastructure used by military and intelligence services across multiple continents, classified DoD launch contracts, and NASA crew transport under the Commercial Crew Program.

If SpaceX suffers a cyber incident touching any of those programs, the details of what was accessed — and how — may themselves be classified. The SEC does have a limited national security carve-out, allowing the DOJ to certify that disclosure would harm national security and delay the filing. But that mechanism has never been stress-tested against a company with SpaceX's breadth of classified exposure.

We don’t really know how this would work at scale.

The related-party problem and nobody has a template for

Regulation S-K's related-party disclosure requirements are well understood. If a director has a financial relationship with a vendor, you disclose it. The framework is built around financial conflicts.

But what about an informational asymmetry created by a government advisory role? If the CEO of a public company has visibility into regulatory decisions — FAA launch approvals, FCC spectrum allocations, NASA contract renewals — through an informal government position, is that a material relationship that investors need to know about? Is it a related-party disclosure? A risk factor? Both?

The question gets more complex, not less, when you account for the fact that formal roles end but relationships don't.

Although Musk stepped down from his formal DOGE role in May 2025. Some will argue that resolves the conflict. I'd argue it reframes it into something more difficult to manage from a compliance standpoint. Formal roles have defined edges — recusal requirements, disclosure obligations, cooling-off periods. What remains after a formal role ends is a personal network: relationships with senior officials across the agencies that regulate and contract with SpaceX, built during a period of significant governmental access. Reg S-K's related-party framework was designed to capture financial relationships and formal affiliations. It has very little to say about relational influence that leaves no contractual footprint.

Either way, there's no existing prospectus template for this. No precedent I'm aware of adequately addresses it. And yet a GRC team preparing for that IPO would need to answer it.

What this means for the rest of us

You might be thinking: this is a one-of-a-kind situation. And it is — for now.

But the underlying tension is not. As more technology companies pursue dual-use contracts, as the line between commercial and national security infrastructure blurs, and as business leaders increasingly hold formal or informal government roles, GRC professionals are going to face versions of this question more often.

The framework we have was built for a cleaner separation between public companies and government. That separation is eroding.

The question I keep coming back to: are we — as a profession — building the muscle to handle it? Or are we going to wait until a public company gets it wrong and then reverse-engineer the guidance from the enforcement action?

I don't have a clean answer. But I think the conversation needs to start now.

I work in GRC with a focus on SEC cybersecurity disclosure requirements. These are my own views, intended to open a professional conversation — not legal advice.