June 19, 2024
by
Andrew Heighington
(CEO and CISO at Cylero)
The Pros and Cons of Publicly Disclosing A Company Maintains Cyber Insurance What does the Data Say? Is it any different for companies with Higher Revenue? What about Incident Disclosures? What are the takeaways? Companies typically take a multi-layered approach to managing cyber risk, which includes building internal cybersecurity programs to mitigate risk, accepting risk where it falls within the business’ risk appetite, and transferring a portion of risk to cyber insurance providers.
April 22, 2024
by
Jacob Wilson
(Gemini)
As a CISO, you’re no stranger to weathering the storm. Whether it’s fending off the latest cyber threat or navigating the turbulent waters of regulatory compliance, your ability to assess and respond to risk is critical to the success of your organization. But when it comes to the thorny issue of “materiality,” many CISOs find themselves caught in the cyber equivalent of a sudden April shower - unprepared and unsure of how to chart a course that aligns with the expectations of regulators and investors.
April 9, 2024
by
Andrew Heighington
(CEO and CISO at Cylero)
Is There a Strategic Misalignment Between Business Goals and Cybersecurity Efforts? Industry Insights The Implications for Cybersecurity The presence of Generative Artificial Intelligence (AI) in the business world has been unmistakably marked by its burgeoning references in public company Annual 10-K Reports. A comparative analysis from December 15, 2022, to March 31, 2023, against the same period from December 15, 2023, to March 31, 2024, reveals a significant jump—from 15% to 40%—in companies mentioning AI in their Annual 10-K Reports.
April 9, 2024
by
Amaka Ibeji
Security vs. Privacy: Understanding the Difference The Missed Opportunity: Privacy Officers Analysis | Privacy in SEC Filings In an era of rapid technological advancements and increasing cybersecurity threats, safeguarding sensitive information has become a top priority for organizations. The Securities and Exchange Commission (SEC) recognizes the critical role that cybersecurity plays in investor confidence and market stability. As part of its commitment to transparency, the SEC has introduced rules that require companies to disclose material cybersecurity incidents and provide annual information regarding their cybersecurity risk management, strategy, and governance.
April 5, 2024
by
Jacob Wilson
(Gemini)
Understanding 8-K Item 1.05 Disclosure Requirements Streamlined Incident Handling with our 8-K Checklist Frameworks for Risk Management Key Benefits of the 8-K Incident Handling Checklist Additional Resources Direct link to the 8-K Incident Handling Checklist
The Securities and Exchange Commission (SEC) recently implemented a new mandate requiring public companies to disclose material cybersecurity incidents through Form 8-K, Item 1.05. This new regulation is a significant step towards increased transparency and investor protection, and the objective of this checklist is to provide a consistent path for public companies to shape their 8-K disclosures.
March 17, 2024
by
Andrew Hoog
(NowSecure)
In a recent conference talk, I share my thought on 10-K Cybersecuruty Best Practices and the top two (of 8) recommendations were:
Only state factual items Have a dedicated security executive Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole. Given the systemic risks to companies, it’s imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.
March 13, 2024
by
Andrew Hoog
(NowSecure)
Play Video on YouTube I gave a talk at SnowFroc 2024 providing:
an overview of the new SEC cybersecurity disclosure rules analysis of 8-K and 10-K disclosures since the new rules took effect some early on “best practices” for cybersecurity risk management, strategy, governance and how to develop compliant and high quality SEC filings. I’ve posted a re-recorded version of the talk on my YouTube channel (my attempt to record on my iPhone at the conference was a fail) as well as the slides and transcript below.
February 18, 2024
by
Andrew Hoog
(NowSecure)
52% (194 out of 373) of companies disclosing “Item 1C. Cybersecurity” in their 10-K specifically mention a Chief Security or Chief Information Security Officer role. For details on the data and analysis, see the data section at the end for additional details.
You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker.
Percentage by filer category It’s helpful to look at how the size of the company (using the filer category as proxy) affected mentioning a CISO.
January 30, 2024
by
Andrew Hoog
(NowSecure)
Yay, my (mostly automated) 10-K Cybersecurity Tracker is live! 1 Here are some items that piqued my interest along the way:
153 10-Ks (as of 30 Jan 2024) with “Item 1C. Cybersecurity” have been posted in 2024 Q1. There were actually 76 posted in 2023 Q4 and 9 posted in 2023 Q3!
There are some really exciting research possibilities I’m already thinking about, especially seeing is there is correlation between quality of the 10-K cybersecurity disclosures and a company’s ability to prevent or quickly mitigate a cybersecurity incident.
January 20, 2024
by
Andrew Hoog
(NowSecure)
I sat down for breakfast in early December with Kevin Richards, the President of Cyber Risk Solutions at X-Analytics. Kevin shared some fantastic insights and I wanted to pass them along.
Kevin started off with two big discussion topics he advises CISOs should be having with their C-Suite and Board:
How do “we” determine materiality? What is our appetite and/or tolerance for cyber risk? Determining materiality Materiality has a particularly vague definition – to paraphrase Thurgood Marshall, “…materiality is any information a reasonable investor would need to make an informed voting [or investment] decision…” Equally vague is Justice Marshall’s discussion is the word “reasonable”.
