Four in 10 publicly-traded companies disclosing their cybersecurity profiles in 10-K filings specifically mention a dedicated chief security (CSO) or chief information security officer (CISO), according to a recent Board Cybersecurity study.
Although calling out CSOs or CISOs in 10-K filings is not a reporting requirement — the requirements are flexible — it’s noteworthy that it's not mentioned in 60% of cases, given the importance placed on the role, particularly at large companies,
It’s often CSOs or CISOs who make decisions to engage with managed security service providers (MSSPs). In that context, is the 10-K figure surprising? Are companies lagging in appointing CSOs and CISOs to oversee their cybersecurity issues? How can MSSPs fill in the gaps?
In an examination of 2,178 10-Ks through March 15, 2024 shared by Board Cybersecurity founder Andrew Hoog with MSSP Alert, dedicated security executives (CSO, CISO) were mentioned in only 41% of the 10-K filings.
“I believe it's generally accepted that key areas of enterprise value (sales, product) or risk (general counsel) should have a dedicated executive,” he said in an email exchange with MSSP Alert. “I think 41% is far lower than what most cybersecurity experts would say is what we'd expect given the systemic risk cybersecurity poses to an organization. On the flip side, it's not like 2% mention a CISO/CSO. So, clearly, it's a key management strategy.”
In these times of rampant cyber breaches, there’s no way around the eye-opening finding of the low number of 10-K SEC registrants mentioning CSO or CISO roles in their SEC filings. Do companies not grasp the importance of an executive to oversee cybersecurity?
"Cybersecurity incidents can have a significant impact on companies and in some cases large-scale cases, the economy as a whole,” Hoog said. “Given the systemic risks to companies, it's imperative to have a dedicated security executive whose experience and singular focus is on reducing the impact of these attacks.
“The recent cybersecurity disclosure rules from the SEC not only provide investors with material information on how companies manage security risk but also valuable data that can be used to glean best practices in cybersecurity risk management.”
Impact of SEC Cybersecurity Incident Rules
To fully understand the impact of this data, we need some context to the SEC cybersecurity incident reporting rules, effective December 18, 2023:
- The “material” impact section of the rule (Form 8-K Item 1.05) drew most of the attention under the new Securities and Exchange Commission (SEC) incident reporting regulation.
- Since the rule went into effect, 13 companies have reported cybersecurity material incidents in 8-K reports, including notables Hewlett-Packard Enterprise, Microsoft and UnitedHealth Group, according to Board Cybersecurity’s incident tracker.
- Since the beginning of 2024, roughly 3,000 companies have reported cybersecurity governance and risk management strategy as disclosed in an entity’s 10-Ks.
- Item 1C Cybersecurity in 10-K filings requires companies to describe how their cybersecurity processes have been integrated into the registrant’s overall risk management system. As part of the SEC rule, companies must also describe both the board and management’s role in assessing and governing material cybersecurity risks. That’s the section where CSO, CISOs are mentioned as part of a company's cybersecurity posture, if the entity chooses to do so.
- Another requirement — and this is important for MSSPs — companies must report their processes to oversee and identify material risks from cybersecurity threats associated with third-party providers.
A Look at a 10-K Filing
Here’s an example of a 10-K Item 1C Cybersecurity filing.
A drill down on the data by industry offers a more detailed look at 10-Ks filed by industry for cybersecurity that mention a CSO or CISO:
- Agriculture, forestry, 22%
- Wholesale trade, 31%
- Services, 59%
- Communications, energy, 52%
- Unknown, 46%
- Retail trade, 34%
- Finance, insurance, real estate, 51%
- Manufacturing, 28%
- Construction, 35%
- Mining, 18%
What's surprising about these figures?
- Services, which include technology companies, isn’t higher.
- Energy, which includes many infrastructure companies, isn’t higher.
- Finance, insurance and real estate, which includes large banks, isn’t higher.
- Mining, which involves certain critical resources and environmental impacts, may be overlooking cybersecurity risk.
Details on Data
- Date range: August 23, 2023 through March 15, 2024
- Total 10-Ks with Item 1C: 3,173
- 10-Ks with Item 1C over 100 characters: 2,860
- 10-Ks where automated 1C extraction failed: 150
- Total 10-Ks in the analysis: ~2,710
Item 1C filings with less than 100 characters were excluded in the study, as companies whose fiscal years ended before December 15, 2023 were not required to complete Item 1C.
Board Cybersecurity is a cybersecurity resource for board directors, corporate executives and investors. An earlier study conducted in February 2024, with a smaller sampling size of 373, found that 52% of the filings mentioned CSOs or CISOs. As Board Cybersecurity regularly updates the data, MSSP Alert will continue to follow the results.