In a recent conference talk, I share my thought on 10-K Cybersecuruty Best Practices and the top two (of 8) recommendations were:
- Only state factual items
- Have a dedicated security executive
Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole. Given the systemic risks to companies, it’s imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.
The recent cybersecurity disclosure rules from the SEC not only provide investors with material information on how companies manage security risk but also valuable data that can be used to glean best practices in cybersecurity risk management.
The analysis below is a snapshot of data from 10-Ks disclosed on or before 2023-03-15. See the the data section at the end for additional details on the data set. You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker.
Percentage of 10-Ks that mention a CISO
41% (1,121 out of 2,710) of companies disclosing “Item 1C. Cybersecurity” in their 10-K specifically mention a Chief Security or Chief Information Security Officer role.
Percentage by filer category
It’s helpful to look at how the size of the company (using the filer category as proxy) affected mentioning a CISO. The filer categories are (from largest):
- Large accelerated filer
- Accelerated filer
- Non-accelerated filer
So the good news is large accelerated filers mention a CISO at a much higher rate than smaller filers. And while this is positive, accelerated and non-accellerated filers are still pretty large companies by most standards so those percentages are quite low.
Percentage by SIC Division
While Standard Industrial Classification (SIC) Codes were deprecated for NAICS, the SEC still uses it to indicate a company’s type of business. The broadest SIC classification is called a division (read more on Wikipedia) and this analysis groups filers according to those SIC ranges.
Again, it’s positive to see key SIC divisions mention a CISO at a higher rate, notably:
- Services - which would include many technnology companies
- Electric, Gas, etc - many critical infrastructure filers in here
- Finance, Insurance & Real Estate - large banks
And I guess it’s not surprising that less than 20% of Mining companies have a CISO but when I think about the criticailty of certain resources, the environmenal impacts and more, I believe they are overlooking cybersecurity risk.
Lastly, does anyone have a contact at the SEC? As I analyze more data, I’m finding gaps in data from certain filers in the REST API. As you can tell from this chart, 84 of the filers do not have an SIC code. Some are also missing their fiscal year end date. If you do know someone I can pass this along to, please drop me a DM on LinkedIn. or the contact us page
Data
Here are some details on the data:
- Date range: 2023-08-24 through 2024-03-15
- Total 10-Ks with Item 1C: 3,173
- 10-Ks with Item 1C over 100 character: 2,860
- 10-Ks where automated 1C extraction failed: 150
- Total 10-Ks in the analysis: 2,710
I excluded 1C items with less than 100 characters as companies with annual reports for fiscal years ending before December 15, 2023 were not required to populated the Item 1C section and state something along the lines of “Not Applicable” (e.g. Apple Inc 10-K).
Also, while I believe this data to be accurate, parsing SEC filings is challenging so there may be slight inconsistencies, notably if we were unable to extract the Item 1C section with automation. Additional, the analysis has not yet been reviewed by another researcher.
If you are a researcher or potential contributor and would like access to the raw data, please use the contact us form or connect and send me a message on LinkedIn.
Page last updated on March 17, 2024