Bridging the Gap: Aligning Cybersecurity Strategies with the Rise of Generative AI in Business

Is There a Strategic Misalignment Between Business Goals and Cybersecurity Efforts? Industry Insights The Implications for Cybersecurity The presence of Generative Artificial Intelligence (AI) in the business world has been unmistakably marked by its burgeoning references in public company Annual 10-K Reports. A comparative analysis from December 15, 2022, to March 31, 2023, against the same period from December 15, 2023, to March 31, 2024, reveals a significant jump—from 15% to 40%—in companies mentioning AI in their Annual 10-K Reports.

The Role of Privacy Officers in SEC's Cybersecurity Disclosure Rule

Security vs. Privacy: Understanding the Difference The Missed Opportunity: Privacy Officers Analysis | Privacy in SEC Filings In an era of rapid technological advancements and increasing cybersecurity threats, safeguarding sensitive information has become a top priority for organizations. The Securities and Exchange Commission (SEC) recognizes the critical role that cybersecurity plays in investor confidence and market stability. As part of its commitment to transparency, the SEC has introduced rules that require companies to disclose material cybersecurity incidents and provide annual information regarding their cybersecurity risk management, strategy, and governance.

8-K Incident Handling Checklist Now Available

Understanding 8-K Item 1.05 Disclosure Requirements Streamlined Incident Handling with our 8-K Checklist Frameworks for Risk Management Key Benefits of the 8-K Incident Handling Checklist Additional Resources Direct link to the 8-K Incident Handling Checklist The Securities and Exchange Commission (SEC) recently implemented a new mandate requiring public companies to disclose material cybersecurity incidents through Form 8-K, Item 1.05. This new regulation is a significant step towards increased transparency and investor protection, and the objective of this checklist is to provide a consistent path for public companies to shape their 8-K disclosures.

41% of 10-Ks mention CISO

In a recent conference talk, I share my thought on 10-K Cybersecuruty Best Practices and the top two (of 8) recommendations were: Only state factual items Have a dedicated security executive Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole. Given the systemic risks to companies, it’s imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.

Overview and analysis of SEC's new cybersecurity disclosure rules - SnowFROC 2024

Play Video on YouTube I gave a talk at SnowFroc 2024 providing: an overview of the new SEC cybersecurity disclosure rules analysis of 8-K and 10-K disclosures since the new rules took effect some early on “best practices” for cybersecurity risk management, strategy, governance and how to develop compliant and high quality SEC filings. I’ve posted a re-recorded version of the talk on my YouTube channel (my attempt to record on my iPhone at the conference was a fail) as well as the slides and transcript below.

Percentage of 10-Ks that mention a CISO

52% (194 out of 373) of companies disclosing “Item 1C. Cybersecurity” in their 10-K specifically mention a Chief Security or Chief Information Security Officer role. For details on the data and analysis, see the data section at the end for additional details. You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker. Percentage by filer category It’s helpful to look at how the size of the company (using the filer category as proxy) affected mentioning a CISO.

10-K Cybersecurity Tracker now available

Yay, my (mostly automated) 10-K Cybersecurity Tracker is live! 1 Here are some items that piqued my interest along the way: 153 10-Ks (as of 30 Jan 2024) with “Item 1C. Cybersecurity” have been posted in 2024 Q1. There were actually 76 posted in 2023 Q4 and 9 posted in 2023 Q3! There are some really exciting research possibilities I’m already thinking about, especially seeing is there is correlation between quality of the 10-K cybersecurity disclosures and a company’s ability to prevent or quickly mitigate a cybersecurity incident.

Kevin Richards advice for CISOs

I sat down for breakfast in early December with Kevin Richards, the President of Cyber Risk Solutions at X-Analytics. Kevin shared some fantastic insights and I wanted to pass them along. Kevin started off with two big discussion topics he advises CISOs should be having with their C-Suite and Board: How do “we” determine materiality? What is our appetite and/or tolerance for cyber risk? Determining materiality Materiality has a particularly vague definition – to paraphrase Thurgood Marshall, “…materiality is any information a reasonable investor would need to make an informed voting [or investment] decision…” Equally vague is Justice Marshall’s discussion is the word “reasonable”.

Hindsight Analysis 23andMe - missing security mitigations

Why hindsight analysis? Attack Techniques Missing Detections User Account Authentication Missing Mitigations Multi-factor authentication User Account Management 8K/A Summary 8-K/A Notes Why hindsight analysis? The goal of this hindsight analysis is help people involved in cybersecurity risk management reflect on their organization’s security posture and hopefully learn from the challenges others have gone through. Intended audience includes board directors, executive management and security practitioners. While reading 23andMe’s 8-KA updated on their October 1, 2023 cybersecurity incident, I thought it might be helpful to do a quick analysis of the attack and presumed missing security mitigations leveraging the MITRE ATT&CK framework.

Why Board Cybersecurity?

Cybersecurity has gone mainstream because it is materially impacting our security, our investments and our privacy. This is underscored by the SEC’s new cybersecurity disclosure rules and represents a clear opportunity to improve the status quo. The mission of Board Cybersecurity is to provide board directors, executive management and investors the resources to properly assess, manage and mitigate cybersecurity risk. The following initiatives will be the initial focus of Board Cybersecurity.