Tech debt at the public company: Form 10-K considerations
Tech debt disclosure at public companies is an emerging area. The SEC's 2023 cybersecurity rulemaking set a precedent for more specific operational-risk disclosure that may extend to tech debt over the next several reporting cycles. CTOs and audit committee chairs are increasingly engaged in the question of what to disclose and when.
The 90-Second Answer
Public-company tech debt management is ongoing, audit-committee-supervised, and increasingly subject to disclosure scrutiny. The MD&A section under 17 CFR §229.303 already requires discussion of known trends and uncertainties material to financial condition; the 2023 cybersecurity rulemaking has set a precedent for more specific operational-risk disclosure. CTOs should expect more disclosure obligations, not fewer, over the next five years.
The Disclosure Landscape
What 17 CFR §229.303 already requires
The MD&A section of Form 10-K is governed by 17 CFR §229.303 (Item 303 of Regulation S-K). The rule requires the company to discuss known trends, demands, commitments, events, and uncertainties that have had or are reasonably likely to have a material effect on financial condition or results of operations. The rule does not name tech debt specifically, but the language is broad enough to capture material operational-risk positions where the company knows about them and where they meet the materiality threshold.
Companies have historically interpreted §229.303 conservatively for tech debt: generic risk-factor language about reliance on legacy systems, no specific quantitative disclosure of accumulated debt positions, and no MD&A discussion of tech-debt-driven trends in financial condition. The conservative interpretation has not been formally challenged by the SEC, but the directional trend in SEC enforcement priorities (visible in the cybersecurity rulemaking and in commission speeches in 2023-2024) is toward more specific operational-risk disclosure where the company knows the facts.
The most exposed companies under the directional trend are those where tech debt has materially affected financial trends already (gross-margin compression, hosting-cost growth outpacing revenue, support-cost growth outpacing customer growth) and where the company has not discussed the underlying causes in MD&A. The disclosure question is no longer whether to discuss the financial trends but how to discuss them; framing the trends without acknowledging the underlying operational cause is increasingly seen as incomplete disclosure by sophisticated investors and may eventually attract SEC scrutiny.
The Cybersecurity Precedent
What the 2023 rulemaking signals
The SEC's 2023 cybersecurity disclosure rulemaking requires public companies to disclose material cybersecurity incidents within four business days and to discuss cybersecurity risk management, strategy, and governance in annual reports. The rule is specifically about cybersecurity but it represents a broader directional shift: the SEC is increasingly comfortable requiring specific operational-risk disclosure where the operational risk has financial implications.
Tech debt is the operational-risk category most likely to follow the cybersecurity precedent. The financial implications of tech debt are well-established (the 25-42% McKinsey drag figure, the gross-margin compression discussed on the gross-margin page, the SOX-readiness implications discussed on the late-stage page). The materiality threshold is plausibly crossed for many public software companies. The mechanism (more specific MD&A discussion or a new disclosure rule) is plausibly within the SEC's authority. The timing is uncertain; the directional probability is non-zero and increasing.
CTOs and audit committee chairs at public companies should treat the cybersecurity precedent as a forward indicator. The companies that engage with tech debt disclosure proactively now will be ahead of the eventual rule cycle if it materialises; the companies that wait will face the disclosure as a compliance burden rather than as a managed communication. The cost of getting ahead is small; the cost of being behind is larger.
The Audit Committee Cadence
What public-company audit committees want from the CTO
Public-company audit committees engage with tech debt more deeply than private-company boards do, because the audit committee carries delegated authority over ICFR-related risks. The cadence and content of the engagement varies by company but the pattern below is representative of larger public software companies.
The audit committee chair typically owns the relationship with the CTO on these items, with the full audit committee engaged at the annual deep-dive and at any event-driven escalation.
The Carve-Out Scenario
When a public parent divests a business unit
The carve-out scenario is a specific case where public-company tech-debt management becomes acute. When a public parent decides to divest a business unit (to a strategic buyer, to a financial sponsor, or via a spin-off), the carve-out team inherits a tech debt position shaped by years of being internal to a larger system. The internal dependencies that were invisible (shared authentication, shared billing, shared observability, shared CI/CD) become explicit decisions on day one of the carve-out. The tech-DD on the carve-out is structurally similar to M&A tech DD (see the acquirer pitch page) but with the additional complexity that the carve-out has to be separately self-sufficient.
The carve-out preparation work typically takes 6-18 months and includes: identifying the internal dependencies that need to be replicated or substituted, building the standalone equivalents of the parent's shared infrastructure, establishing the carve-out's own engineering processes and culture, and migrating the carve-out's data and systems out of the parent's environment. The work is engineering-intensive and the carve-out engineering team is typically resource-constrained relative to the work scope.
The CTO of a carve-out (or the soon-to-be CTO of a business unit being prepared for carve-out) should run the preparation as a structured programme with its own funding and its own timeline. Treating it as ad-hoc work that the existing engineering organisation handles alongside business-as-usual reliably produces a carve-out that ships late, with material gaps in the standalone capability, and with tech debt that the new owner discovers post-close. The structured-programme approach is more expensive in the short term but materially better in outcome.
Cross-Reference
Public company in the company-stage stack
Public company is the final stage in the company-stage progression: pre-Series A, Series A-C, growth, late stage, public company. For the board-level fiduciary framing that is most relevant at public-company stage, see the board pitch page. For the business-metric impacts that map most directly to public-investor scrutiny, see the gross-margin page and the burn-rate / FCF page.
For the engineering-practitioner view of the SOX-readiness work and the platform investment patterns at public-company scale, see the sister site technicaldebtcost.com. The hipaacompliancecost and soc2compliancecost portfolio siblings cover the specific compliance-engineering work that intersects with public-company audit cycles.
Field Notes
Frequently asked questions
Do public companies have to disclose tech debt?+
Not as a named line item. But material operational risks that affect financial condition can require disclosure under MD&A guidance (17 CFR §229.303), and the SEC's 2023 cybersecurity rulemaking has set a precedent for more specific operational-risk disclosure. The directional trend is toward more disclosure, not less.
How is this different from late-stage / pre-IPO?+
At late stage the work is to clean up before IPO; at public company the work is ongoing maintenance of disclosure-grade documentation and SOX-readiness. The cadence is continuous quarterly rather than 12-24 month sprint. The audit committee is engaged routinely rather than as a one-time event.
What does the audit committee want from the CTO?+
Quarterly visibility into ICFR-relevant tech-debt positions, advance warning of any work that might create or remediate a control deficiency, and a credible long-term remediation plan for material accumulated debt. The audit committee chair typically wants a 15-minute CTO update at least annually, sometimes quarterly.
How does this affect engineering org structure?+
Public-company engineering organisations typically have explicit roles or functions for: SOX-readiness engineering, cybersecurity engineering, compliance-engineering liaison, and engineering-financial-controls partnership. These functions either sit inside the platform team or in a dedicated infrastructure organisation; either way they need to be named.
What is the impact on engineering investment philosophy?+
Public companies tend to fund tech debt remediation more reliably than private companies because the cost-of-inaction (control deficiency, material weakness disclosure, restatement risk) is more concrete. The investment is justified differently but is typically larger as a percentage of engineering capacity.
What is the carve-out scenario for public companies?+
When a public parent divests a business unit, the carve-out engineering team inherits a tech debt position shaped by years of being internal to a larger system. The tech-DD on the carve-out is structurally similar to M&A tech DD, with the additional complexity that the carve-out has to be separately self-sufficient from day one.
Adjacent Reading