New 10K Cyber-Disclosures Demonstrating Diversity by Early Filers

Hello, fellow Bay Area friends! I’ve been following a recent development in the world of cybersecurity and wanted to share my thoughts with you. You’ve probably heard about the new SEC cybersecurity rules? They prompted a series of new requirements for companies filling their Form 10Ks. The San Francisco Bay Area, as a technology hub, is all abuzz with this new development. We’ve been experiencing a variety of approaches as governance professionals navigate these waters to work out the best practices for filing compliance.

I was reading up on an analysis that compared the filings from around 30 big, publicly-traded companies. Ironically, while they are more or less disclosing the same type of information, no two filings are exactly alike. The variations are most noticeable in the way companies articulate their specifics and the level of detail they’re willing to lay out.

Let’s take a step back for a minute…what exactly are these new rules about? They went into effect at the beginning of 2024 and require companies to be more transparent about their cybersecurity risk management, strategy, and governance in their Form 10K filings. In short, companies are now obligated to illustrate their processes for identifying and managing significant risks that stem from cybersecurity threats. They also must report any major cybersecurity incidents using a Form 8K within four business days of realizing how serious the incident is.

While most of the companies studied in the analysis are following recommended frameworks like the National Institute of Standards and Technology Cybersecurity Framework, they each have unique operations, strategic goals, and ways of risk management. I found it interesting that board members of a particular company have even acquired cybersecurity oversight certifications. How cool is that?

Given the complexity of these new rules, I wouldn’t dream of simplifying cybersecurity risk management. The essence, however, lies within comprehensive risk management processes, solid incident response plans, rigorous worker training, and keen governance oversight. Beyond this, the companies are individually tailoring their risk assessments, third-party engagement, and reporting mechanisms to meet their operational needs and strategical priorities.

Now, what does the future hold? Well, we may see more set guidelines from the SEC once they have assessed a broader range of filings. With these disclosures becoming more routine, we may start to see companies follow a more standardized format. And why not? Drawing from the best practices across industries only make the process easier.

In the meantime, governance professionals are taking notes, learning from each other’s filings, and refining their Form 10Ks. It’s vital to stay up-to-date with these modern-day challenges that combine cybersecurity and healthcare! Stay safe, San Francisco, and let’s make our city a safer place for data!

by Morgan Phisher | HEAL Security