CHICAGO, Sept. 17, 2024 /PRNewswire/ — HALOCK Security Labs and sister company, Reasonable Risk, recently published a survey report revealing that language in the SEC’s new cybersecurity requirements appears to be confusing executives at public companies. As a result, many 10-K filings now make implausible claims that companies do not foresee a risk that cybersecurity incidents may cause material impacts. Early 10-K filers also imply stronger confidence in cybersecurity programs than executives are describing anonymously.
The SEC’s new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule requires public companies to describe how they manage their cybersecurity risk in Item 1C of their 10-Ks. To complicate matters, they must use plain language that reasonable investors would understand. The SEC’s Final Rule also implies that clarity and transparency about cybersecurity risk management will be rewarded with increased investor confidence, and that such rewards will in turn improve transparency and risk management.
“We are finding that non-technical executives typically do not receive the information they need to make informed decisions to prioritize cybersecurity initiatives and approve resources. Not having the right information makes properly informing the Leadership Team and outside investors very difficult.” – Jim Mirochnik, CEO, Reasonable Risk LLC.
HALOCK’s Annual 10-K Survey observes how public company disclosures about their cybersecurity programs change over time. It will qualitatively and quantitatively evaluate public filings to determine whether “clarity and transparency” does, in fact, improve. In the inaugural 2024 survey report, evidence from early 10-K filings suggests that most companies are conflating compliance standards with risk management. This suggests that their risk and governance programs are rooted in controls compliance rather than risk – the core focus of the new rule.
A recurring theme in the 10-Ks indicated that the SEC itself might have been the source of the additional filer confusion. The Final Rule requires that each filer state whether past or future risks did or could create a material incident. This verbiage conflates knowable past events with uncertain future events. In response to this prompt, filers very often said that no past risks or foreseeable risks did or would cause a material impact.
“It is implausible that so many companies conducted risk assessments and found no potentially material risks. It seems that Executives were so concerned about getting their first filings wrong that they adhered too closely to the Final Rule and repeated the SEC’s error.” – Chris Cronin, the Report’s Lead Editor.” – Chris Cronin, the Report’s Lead Editor
Corporate cybersecurity programs in the United States historically focus on controls compliance or maturity scores to manage cybersecurity risks. However, regulators expect organizations to drive their programs with attention to the likelihood and magnitude of harm to others, such as the public or investors. Regulators increasingly state that cybersecurity safeguards and programs can be legally defensible as “reasonable” when the costs and burdens of safeguards are commensurate with the risks they reduce.
The SEC is challenging corporate leadership to take a more active role in their organization’s accountability and transparency in risk management. As cybersecurity risk management evolves, businesses will be pushed to expand their competencies beyond controls compliance and begin proactively managing cybersecurity risk the way they manage every other business risk.
HALOCK and Reasonable Risk help organizations learn and operate these newly required cybersecurity risk management and governance skills. The Annual 10-K Survey Report is a joint effort to gain insights into how well cybersecurity risk management practices are improving. Both organizations contribute their intellectual property and tools to the public to help educate the cybersecurity community and the organizations and public they support.
To learn more on this topic, attend HALOCK’s complimentary webinar on September 19th at 1PM CT: How Executives Make Informed Cyber Decisions
ABOUT HALOCK SECURITY LABS
HALOCK is a risk management and information security consulting firm providing cybersecurity, regulatory, strategic, and litigation services. HALOCK has pioneered an approach to risk analysis that aligns with regulatory standards for “reasonable” and “appropriate” safeguards and risk, using due care and reasonable person principles. As the principal authors of CIS Risk Assessment Method (RAM) and board members of The Duty of Care Risk Analysis (DoCRA) Council, HALOCK offers unique insight to help organizations define their acceptable level of risk and establish reasonable security. https://www.halock.com
ABOUT REASONABLE RISK
Reasonable Risk LLC is a Governance and Risk Management SaaS application that helps cybersecurity leaders derive the likelihood of threats based on real threat data (combined with the maturity of the safeguard in place), making risk analysis more credible and automatic. It facilitates SEC Compliance and has built-in executive reports with pre-mapped fields straight from the risk register. Reasonable Risk founders have combined the power of Project Management tools, the wisdom and methodology of Duty of Care Risk Analysis (DoCRA), and the necessity of cybersecurity governance and risk management in a single tool for a Proven Governance System™.
View original content to download multimedia:https://www.prnewswire.com/news-releases/cyber-firm-reports-secs-final-rule-language-causing-10-k-filer-missteps-302250544.html