Andrew Hoog
Abstract
Keywords: Cybersecurity disclosures, 10-K, Risk Frameworks, Security Control Standards.
1. Introduction
The recent cybersecurity disclosure rules from the SEC not only provide investors with material information on how companies manage security risk but also valuable data that can be used to glean best practices in cybersecurity risk management or even gaps in cybersecurity strategy.
Many practitioners conflate Risk Frameworks with Security Control Standards. This insight report will provide data on what risk frameworks and security control standards are mentioned and at what frequency.
The analysis below is a snapshot of data from 10-Ks disclosed between 2023-12-15 and 2024-06-30. You can see the full list of the 10-Ks in the 10-K Cybersecurity Tracker.
2. Methodology and Data
2.1 Data
2.1.1 SEC EDGAR
The U.S. Security and Exchange Commission’s Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system provides a public interface 1 to retrieve companies SEC filings, including their annual 10-K report.
2.2 Methodology
2.2.1 Retrieval
An hourly process is run which parses the EDGAR RSS feed and determines if any new 10-K filing were disclosed. If so, the 10-K filing is downloaded locally and processed.
2.2.2 Identifying and extracting Item 1C Cybersecurity text
The 10-K filing is the processed to determine of an Item 1C Cybersecurity section exits. If found, the text from that section is then extracted from the 10-K. During this process, formatting is lost and we attempt to replace non-ASCII characters with their ASCII equivalent (e.g. replacing \u2009 thin space with an ASCII space 0x20). Extraneous spaces are also removed.
The extraction algorithm have been improved so that over less than 5% (4.57%) of 10-Ks with an Item 1C Cybersecurity are excluded due to data extraction failures. In some instances, the author has added the 10-K Item 1C to the data set manually.
2.2.3 Identifying cybersecurity features
The resulting Item 1C Cybersecurity data is then analyzed using regular expressions to determine the presence of key cybersecurity features. In the current algorithm, 23 unique features are tested and two are included in this report: Risk Frameworks and Security Control Standards.
Caveat: this analysis is more effective on cybersecurity features which can be tested for by the presence of a key word or phrase, e.g. “NIST CSF”. The analysis is only as effective as the list of key words and phrases included in the the algorithm and present in the Item 1C sections.
2.3 Data set
Leveraging the SEC data and methodology produced the following data set: 10-K data set
| Property | Value |
|---|---|
| Start date | 2023-12-15 |
| End Date | 2024-06-30 |
| Total Records | 5582 |
| Skipped Low Word Count | 789 |
| Skipped High Word Count | 26 |
| Skipped No Word Count | 229 |
| 10-Ks in analysis | 4538 |
Additional details on excluded Item 1C sections:
- Item 1C section with low word counts with (less than 15 words) are excluded from the analysis. In most instances, these are due to companies who are not yet required to file due to their fiscal year end, e.g. Apple. Inc2 which simply stated “Not Applicable”.
- Item 1C section with high word counts with (greater than 2,700 words) are excluded from the analysis. In most instances, these represent Item 1C extraction failures and include other sections of the 10-K. Some of them are are then manually analyzed and added to the data set.
- Item 1C section with no word counts (0 words) are excluded from the analysis. In most instances, these represent Item 1C extraction failures where the Item 1C section was present but could not be extracted. Some of them are are then manually analyzed and added to the data set.
3. Results
3.1 Percentage of 10-Ks that mention a Security Control Standard
For the Security Control Standards analysis of 10-Ks between 2023-12-15 & 2024-06-30, the results include 4,538 records. The phrase was found 1,629 times (35.9 %)
3.2 Percentage of 10-Ks that mention a Risk Framework
For the Risk Framework analysis of 10-Ks between 2023-12-15 & 2024-06-30, the results include 4,538 records. The phrase was found 23 times (0.51 %)
4. Discussion
Observations from the results:
- While the reporting requirements from the SEC specifically require companies to disclose their cybersecurity risk management processes, very few companies focus on a structured standard for risk management.
- Security Control Standard are more tactical and likely easy to understand. While a far greater percentage of filers mention a security control standard (e.g. NIST Cyber Security Framework), the percentage is still quite low at just over 35%.
5. Conclusion and future work
The new cybersecurity disclosure requirements from the SEC have generated a new set of data and insights. The data suggests that very few companies have (or at least disclose) a structured approach using known Risk Management frameworks.
Since this is the first ear of reporting, many companies were not certain what they should file and likely reviewed other filer’s disclosures. Future work could focus on how companies update their disclosures in future 10-Ks and whether we see a trend would homogenization of reporting, if companies change or improve their reporting and whether we can find any correlation between companies with more robust Item 1C filings and their ability to minimize the impact of cybersecurity incidents.
References
U.S. Securities and Exchange Commission, Latest Filings Received and Processed at the SEC, retrieved from https://www.sec.gov/cgi-bin/browse-edgar?action=getcurrent ↩︎
https://www.board-cybersecurity.com/annual-reports/tracker/20231102-apple-inc-cybersecurity-10k/ ↩︎