Yay, my (mostly automated) 10-K Cybersecurity Tracker is live! 1 Here are some items that piqued my interest along the way:
153 10-Ks (as of 30 Jan 2024) with “Item 1C. Cybersecurity” have been posted in 2024 Q1. There were actually 76 posted in 2023 Q4 and 9 posted in 2023 Q3!
There are some really exciting research possibilities I’m already thinking about, especially seeing is there is correlation between quality of the 10-K cybersecurity disclosures and a company’s ability to prevent or quickly mitigate a cybersecurity incident. To that end, I’m actively looking for input/assistance for what fact/observations we should try to extract from 10-Ks (some ideas: do they have a CISO, what cadence is the board updated, do they mention NIST, ISO or other frameworks, etc.). I’d you like to help, please contact us!
While I’ve improved my detection and extraction code, it’s still not good enough to post fully formatted “Item 1C.” disclosures without human intervention. However, the most of the time the unformatted version of item will be present. So, if you’re reviewing a 10-K and it’s unformatted, click the “Drop us a note” link and include the URL so I can prioritize formatting that 10-K.
Due to the volume, I’m not currently offering an email alert capability. If folks see value in that, please drop me a line and let me know. I was thinking the best approach might be a weekly digest email (or maybe daily) but unless people let me know (in this post, DM, etc…), I’m not prioritizing this.
For the 10-Ks I looked at, I added both “Item 1C.” and any “1A Risk Factors.” that mentioned “cyber” but there was just too much data to enter so I link to the 10-Ks but until I have more automation, you’ll have to review the Risk Factors in the original postings.
Many of the early 10-Ks and some in Q1 2024 have “Not Applicable” and at first I was confused but, in general, this is because their fiscal year end is before Dec 15, 2023 so the 10-K rules are not required for them yet.
I hope to add a quick search feature so people can find the 10-Ks they are interested in. If you have suggestions for other properties to have on the main tracker page besides Date and Company (e.g. maybe SIC code, company filer type, etc.), let me know.
First “Item 1C.” mention ever is PARKER-HANNIFIN CORPORATION who mistakenly uses 1C for “Information about our Executive Officers.” 2 😆
First “Item 1C.” that’s actually Cybersecurity AND has something other than “not applicable” or equivalent is from DATASEA INC. 3
Page last updated on February 20, 2024