WHAT IS THE ANNUAL 10-K SURVEY?
A publication by HALOCK Security Labs and Reasonable Risk that tracks how well public companies describe their cybersecurity programs in Item 1C of their 10-K disclosures.
WHAT IS ITEM 1C?
Item 1C is a new requirement (as of December 2023) from The SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule for public filers to describe to their investors how they identify and manage cybersecurity risks, and how they manage and disclose cybersecurity incidents, and the roles that their executives and board directors play in that management.
WHAT IS THE PURPOSE OF THE SURVEY?
The intent of the Survey is to help the public cybersecurity leaders, non-technical executives, board directors, and investors understand trends in how Item 1C is being disclosed, and to provide advice for writing evidence-based disclosures about their programs. The study reflects the public’s current familiarity with cybersecurity risk management and governance.
WHAT DOES THE SURVEY SHOW?
The Survey qualitatively examines the content of 10-Ks and industry reports to determine how closely 10-Ks match industry trends, and quantitatively examines content of the 10-Ks to determine whether key terms and phrases illuminate trends in how companies describe cybersecurity risk management programs.
WHY WAS THE SURVEY DEVELOPED?
Ultimately to better serve the industry, businesses, and investors on how public filers can improve their cybersecurity risk management programs.
From the 10-K Survey Preface:
The SEC’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule was designed to help the marketplace put pressure on public companies to transparently and effectively manage cybersecurity risk. The new cybersecurity rule does not impose risk management requirements or standards of practice on companies. It simply requires that organizations in their S-10 filings (in particular their 10-Ks) explain to investors how they are made aware of their cyber risks that could cause a material impact, how they manage those risks, and how they inform investors of when cyber incidents cause a material incident.
Underlying this study is HALOCK’s assumption that – as a general rule – neither executives nor reasonable investors would recognize whether cybersecurity risk management programs are well designed or effective. This is not meant to be a disparaging statement, but a description of the public’s current familiarity with cybersecurity risk management and governance. This is a specialized field that few people understand.
Put another way, a public company’s reasonable investors and analysts are competent in understanding risks that are characteristic of the businesses they are interested in, (e.g. investors in manufacturing should have an awareness of supply chain risks, financial services investors should understand market volatility, professional services analysts should be concerned about the loss of key leaders), but few investors would necessarily understand how cybersecurity risk or risk management functions.
We believe – and evidence shows – that the SEC’s new rule sets a high bar that most companies and their investors cannot achieve today. Moreover, public companies appear to be overstating their cybersecurity governance capabilities in their 10-K’s.
This is not to say that companies are intentionally misleading their investors about cybersecurity risk management. Rather, companies do not yet know how to define what cybersecurity risk management is, how they determine what cyber risks and incidents would be qualitatively and quantitatively material, or how they discern strategy from governance.
Cybersecurity programs in much of corporate America are driven by controls compliance, not risk management, which are very different from each other. When regulators demand risk management they expect that we estimate the likelihood and magnitude of harm that we may cause others, and implement commensurate safeguards against those risks. Compliance programs, on the other hand, require that we follow generally applicable rules.
Risk management is good public policy; we invest what we should to protect others, but we don’t invest more than the risks we may cause others. Alternatively, compliance is famously frustrating; we do what we are told and we are punished when we fail, even when the rules we are told to follow are not practical, helpful, or possible.
We intend this study to be an annual series that examines whether and how companies improve their cybersecurity risk management, strategy, and governance, and learn to use risk analysis to inform their incident disclosure processes.
DOWNLOAD THE 10-K ANNUAL SURVEY REPORT
WHERE CAN I LEARN MORE ABOUT IMPROVING CYBER RISK MANAGEMENT?
Our webinar on How Executives Make Informed Cyber Decisions will review results from the 10-K Survey Report and more on September 19, 2024.
Join Charity Otwell, Director, Critical Security Controls at Center for Internet Security, Phillippe Langlois, Data Breach Investigations Report (DBIR) Author at Verizon, and Chris Cronin, Partner at HALOCK Security Labs and Reasonable Risk.
The expert panel will be discussing some of the awkward truths found in HALOCK’s SEC 10-K Survey Report and will share techniques for communicating cyber risk to executives well enough that they can make informed cybersecurity decisions.
DATE: September 19, 2024 | Virtual | 1pm CST