41% of 10-Ks mention CISO

In a recent conference talk, I share my thought on 10-K Cybersecuruty Best Practices and the top two (of 8) recommendations were:

  1. Only state factual items
  2. Have a dedicated security executive

Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole. Given the systemic risks to companies, it’s imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.

The recent cybersecurity disclosure rules from the SEC not only provide investors with material information on how companies manage security risk but also valuable data that can be used to glean best practices in cybersecurity risk management.

The analysis below is a snapshot of data from 10-Ks disclosed on or before 2023-03-15. See the the data section at the end for additional details on the data set. You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker.

Percentage of 10-Ks that mention a CISO

41% (1,121 out of 2,710) of companies disclosing “Item 1C. Cybersecurity” in their 10-K specifically mention a Chief Security or Chief Information Security Officer role.

Graph showing ony 41% of companies mention a CISO in their 10-K Item 1C

Percentage by filer category

It’s helpful to look at how the size of the company (using the filer category as proxy) affected mentioning a CISO. The filer categories are (from largest):

Graph of CISO by filer category

So the good news is large accelerated filers mention a CISO at a much higher rate than smaller filers. And while this is positive, accelerated and non-accellerated filers are still pretty large companies by most standards so those percentages are quite low.

Percentage by SIC Division

While Standard Industrial Classification (SIC) Codes were deprecated for NAICS, the SEC still uses it to indicate a company’s type of business. The broadest SIC classification is called a division (read more on Wikipedia) and this analysis groups filers according to those SIC ranges.

Graph of CISO by SIC divisions

Again, it’s positive to see key SIC divisions mention a CISO at a higher rate, notably:

And I guess it’s not surprising that less than 20% of Mining companies have a CISO but when I think about the criticailty of certain resources, the environmenal impacts and more, I believe they are overlooking cybersecurity risk.

Lastly, does anyone have a contact at the SEC? As I analyze more data, I’m finding gaps in data from certain filers in the REST API. As you can tell from this chart, 84 of the filers do not have an SIC code. Some are also missing their fiscal year end date. If you do know someone I can pass this along to, please drop me a DM on LinkedIn. or the contact us page


Here are some details on the data:

I excluded 1C items with less than 100 characters as companies with annual reports for fiscal years ending before December 15, 2023 were not required to populated the Item 1C section and state something along the lines of “Not Applicable” (e.g. Apple Inc 10-K).

Also, while I believe this data to be accurate, parsing SEC filings is challenging so there may be slight inconsistencies, notably if we were unable to extract the Item 1C section with automation. Additional, the analysis has not yet been reviewed by another researcher.

If you are a researcher or potential contributor and would like access to the raw data, please use the contact us form or connect and send me a message on LinkedIn.

Page last updated on March 17, 2024