Transparency vs. Risk Exposure - Analyzing Cyber Insurance and Public Disclosures

The Pros and Cons of Publicly Disclosing A Company Maintains Cyber Insurance What does the Data Say? Is it any different for companies with Higher Revenue? What about Incident Disclosures? What are the takeaways? Companies typically take a multi-layered approach to managing cyber risk, which includes building internal cybersecurity programs to mitigate risk, accepting risk where it falls within the business’ risk appetite, and transferring a portion of risk to cyber insurance providers.

Bracing for the Cyber Storm: What CISOs Can Learn from Recent Natural Disasters

As a CISO, you’re no stranger to weathering the storm. Whether it’s fending off the latest cyber threat or navigating the turbulent waters of regulatory compliance, your ability to assess and respond to risk is critical to the success of your organization. But when it comes to the thorny issue of “materiality,” many CISOs find themselves caught in the cyber equivalent of a sudden April shower - unprepared and unsure of how to chart a course that aligns with the expectations of regulators and investors.

Bridging the Gap: Aligning Cybersecurity Strategies with the Rise of Generative AI in Business

Is There a Strategic Misalignment Between Business Goals and Cybersecurity Efforts? Industry Insights The Implications for Cybersecurity The presence of Generative Artificial Intelligence (AI) in the business world has been unmistakably marked by its burgeoning references in public company Annual 10-K Reports. A comparative analysis from December 15, 2022, to March 31, 2023, against the same period from December 15, 2023, to March 31, 2024, reveals a significant jump—from 15% to 40%—in companies mentioning AI in their Annual 10-K Reports.

The Role of Privacy Officers in SEC's Cybersecurity Disclosure Rule

Security vs. Privacy: Understanding the Difference The Missed Opportunity: Privacy Officers Analysis | Privacy in SEC Filings In an era of rapid technological advancements and increasing cybersecurity threats, safeguarding sensitive information has become a top priority for organizations. The Securities and Exchange Commission (SEC) recognizes the critical role that cybersecurity plays in investor confidence and market stability. As part of its commitment to transparency, the SEC has introduced rules that require companies to disclose material cybersecurity incidents and provide annual information regarding their cybersecurity risk management, strategy, and governance.

8-K Incident Handling Checklist Now Available

Understanding 8-K Item 1.05 Disclosure Requirements Streamlined Incident Handling with our 8-K Checklist Frameworks for Risk Management Key Benefits of the 8-K Incident Handling Checklist Additional Resources Direct link to the 8-K Incident Handling Checklist The Securities and Exchange Commission (SEC) recently implemented a new mandate requiring public companies to disclose material cybersecurity incidents through Form 8-K, Item 1.05. This new regulation is a significant step towards increased transparency and investor protection, and the objective of this checklist is to provide a consistent path for public companies to shape their 8-K disclosures.

41% of 10-Ks mention CISO

In a recent conference talk, I share my thought on 10-K Cybersecuruty Best Practices and the top two (of 8) recommendations were: Only state factual items Have a dedicated security executive Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole. Given the systemic risks to companies, it’s imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.

Overview and analysis of SEC's new cybersecurity disclosure rules - SnowFROC 2024

Play Video on YouTube I gave a talk at SnowFroc 2024 providing: an overview of the new SEC cybersecurity disclosure rules analysis of 8-K and 10-K disclosures since the new rules took effect some early on “best practices” for cybersecurity risk management, strategy, governance and how to develop compliant and high quality SEC filings. I’ve posted a re-recorded version of the talk on my YouTube channel (my attempt to record on my iPhone at the conference was a fail) as well as the slides and transcript below.

Percentage of 10-Ks that mention a CISO

52% (194 out of 373) of companies disclosing “Item 1C. Cybersecurity” in their 10-K specifically mention a Chief Security or Chief Information Security Officer role. For details on the data and analysis, see the data section at the end for additional details. You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker. Percentage by filer category It’s helpful to look at how the size of the company (using the filer category as proxy) affected mentioning a CISO.

10-K Cybersecurity Tracker now available

Yay, my (mostly automated) 10-K Cybersecurity Tracker is live! 1 Here are some items that piqued my interest along the way: 153 10-Ks (as of 30 Jan 2024) with “Item 1C. Cybersecurity” have been posted in 2024 Q1. There were actually 76 posted in 2023 Q4 and 9 posted in 2023 Q3! There are some really exciting research possibilities I’m already thinking about, especially seeing is there is correlation between quality of the 10-K cybersecurity disclosures and a company’s ability to prevent or quickly mitigate a cybersecurity incident.

Kevin Richards advice for CISOs

I sat down for breakfast in early December with Kevin Richards, the President of Cyber Risk Solutions at X-Analytics. Kevin shared some fantastic insights and I wanted to pass them along. Kevin started off with two big discussion topics he advises CISOs should be having with their C-Suite and Board: How do “we” determine materiality? What is our appetite and/or tolerance for cyber risk? Determining materiality Materiality has a particularly vague definition – to paraphrase Thurgood Marshall, “…materiality is any information a reasonable investor would need to make an informed voting [or investment] decision…” Equally vague is Justice Marshall’s discussion is the word “reasonable”.