First Reports Under SEC Cybersecurity Rule Released
26 Januari 2024
It is like a late Christmas present for cyber risk practitioners, as corporate disclosures are just now being released under the 2023 SEC Cybersecurity Rule, which went into effect last December.
Breach Rule
Sure, the breach disclosure rule (Form 8-K Item 1.05) grabs headlines, which requires filing within four days of determining materiality. As of today, four companies have filed breach notices under Item 1.05.
- First American Financial Corp (FAF)
- Hewlett Packard Enterprise Co (HPE)
- MICROSOFT CORP (MSFT)
- V F CORP (VFC)
If you want to follow along at home, I put together an RSS feed from Edgar.gov that will track all the latest Form 8-K Item 1.05 Breach reports.
[LINK]
Cyber Risk Management Disclosure Rule
However, what is even more interesting than the forthcoming deluge of breach reporting is the cyber risk management program disclosures required in annual 10-K filings. Reg. S-K Item 1C requires all annual reports for fiscal years ending on or after December 15, 2023, to include these disclosures.
If you’ve taken any of my classes at the University of Texas Law School or the Carnegie Mellon CISO program, then you have heard me talk about this for over a year. Like a kid on Christmas Eve, I’ve been excited about these disclosures and I believe the impact they will have is under-rated.
So far, only three filings have been reported.
Again, here is an RSS Feed from Edgar.gov for Reg. S-K Item 1C (10-K)
[LINK]
Even in these first three filings from Lockheed Martin, Schlumberger, and United Rentals, we can see a significant shift in the disclosures organizations have from a cyber risk management practice.
I have been teaching cyber risk management for almost two decades, and getting insights into the inner workings of an organization’s cybersecurity program is always a challenge for students in my courses. It requires a lot of work to dig through public reports and understand an organization’s Cybersecurity culture and approach to risk management.
The public face of an organization’s approach to cybersecurity is frequently different from the internal workings. Anyone who has been in the field long enough has seen the claims of “world-class security” only to know this is far from the truth on the inside.
What’s different as of today is these three reports are legal disclosures under the SEC regulation and carry hefty penalties for any organizations that misrepresent their cybersecurity risk management practices.
So what can we learn from looking at these disclosures especially when we contrast them? At the highest level, cybersecurity is given greater prominence and reporting. Comparing the 2023 to 2024 10-K filings shows more than doubling the mention of cybersecurity.
It’s no surprise that Lockheed Martin already mentions cybersecurity extensively in their 2023 and 2024 10-K filings. What is interesting is the level of disclosure and detail.
I have summarized their filing below:
Lockheed Martin
Lockheed Martin Corporation (LMCO) assesses and manages cybersecurity risks through a comprehensive strategy and governance structure. The key aspects of their approach include:
- Oversight by the Board of Directors: The full Board retains oversight of cybersecurity due to its importance in the aerospace and defense industry. The Board is regularly briefed on cybersecurity and information security posture by senior leadership, including the Chief Information Security Officer (CISO).
- Corporate Information Security Organization: Led by the CISO, this organization is responsible for the overall information security strategy, policy, security engineering, operations, and cyber threat detection and response. It manages a robust enterprise security structure aimed at preventing cybersecurity incidents and increasing system resilience.
- Incident Response Playbook: In case of a cybersecurity incident, LMCO follows a detailed incident response playbook, outlining steps from detection to mitigation, recovery, and notification, including notifying senior leadership and the Board as appropriate.
- Supplier Cybersecurity Controls: LMCO assesses third-party cybersecurity controls through questionnaires, including security and privacy addendums to contracts, and contractual flow-down of cybersecurity regulatory requirements. They engage third-party services for evaluations of security controls, penetration testing, and independent audits.
- Risk Management Strategy: LMCO has developed and implemented a proactive risk management strategy called the Intelligence Driven Defense® model, which aims to identify and prevent cybersecurity incidents by understanding the nature of adversaries.
- Integration into Enterprise Risk Management (ERM): Cybersecurity-related risks are integrated into LMCO’s overall ERM process, which includes assessing top risks to the enterprise annually. This process identifies heightened cybersecurity-related risks and assigns risk owners to develop and track mitigation plans.
- Compliance with Regulations: LMCO complies with extensive regulations, including DFARS related to safeguarding controlled unclassified information (CUI) and reporting cybersecurity incidents to the Department of Defense.
Unsurprisingly, the chief Information Security officer regularly reports to the Board of Directors. What is surprising is the extent to which Lockheed discloses its internal risk management practices, including its vendor security requirements and monitoring of specific vendors and their internal risk management program.
Though these are not unexpected, and likely disclosed in other documents as well, Lockheed has set the standard in cyber risk management program disclosure. Due to luck of the calendar, they are the first company with a respected cybersecurity program to set the standard what these disclosures should look like.
When analysts review public companies as part of their due diligence, they usually include cybersecurity. As the SEC intended, these diligence reviews will place an increased emphasis on Item 1C in the 10-K filings.
What I’m excited to see in the coming weeks and months will be a comparison of risk management practices across companies and industries. Baseline risk management reviews will be much easier than before. Boards of directors will be able to more accurately and easily compare how their cyber risk management practices compare to their peers. I expect this will elevate the cyber risk conversation across boards, as the NACD has supported for years.
For reference, compare the other two filings, from Schlumberger and United Rentals. Both are well-established and respected organizations, but now with a dramatic increase in disclosures of their cybersecurity risk management practices over their 2023 10-K filing.
Schlumberger
Schlumberger assesses and manages cybersecurity risks through a structured program based on recognized standards and practices, integrated into its enterprise risk management system, and overseen by its Board of Directors. The key aspects of their approach are as follows:
- Cyber Risk Management Program: The program is based on recognized best practices and standards for cybersecurity and information technology, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and the International Organization Standardization (ISO) 27001 Information Security Management System Requirements.
- Annual Assessment by Third Party: The company’s cyber risk management program undergoes an annual assessment performed by a third party against the NIST CSF.
- Cyber Security Operations Center: Operating in three locations, this center provides 24/7 monitoring of the global cybersecurity environment and coordinates the investigation and remediation of alerts. They also conduct incident response drills to prepare support teams for significant incidents.
- Oversight by the Audit Committee and Board of Directors: The Audit Committee oversees the company’s cybersecurity risk exposures and management’s efforts to monitor and mitigate these risks. The cybersecurity team briefs the Audit Committee typically on a quarterly basis. The Board of Directors also reviews cybersecurity risks as part of the company’s corporate risk mapping exercise.
- Partnerships with Cybersecurity Companies: The company partners with leading cybersecurity companies and organizations, leveraging third-party technology and expertise. These partnerships help monitor and maintain the performance and effectiveness of cybersecurity products and services.
- Cybersecurity Team Expertise: The Cyber Security Director, reporting to the Chief Information Officer, leads the cybersecurity team. This team has extensive experience in selecting, deploying, and operating cybersecurity technologies, initiatives, and processes worldwide.
- Acknowledgment of Cybersecurity Threats: The company acknowledges the risk of cybersecurity threats that could materially affect its business. It has experienced and continues to experience varying degrees of cyber incidents in the normal conduct of its business.
In summary, the company’s approach to cybersecurity risk assessment and management involves a combination of structured programs based on industry standards, regular third-party assessments, dedicated cybersecurity operations, oversight by the Board, strategic partnerships, and a specialized cybersecurity team.
United Rentals
United Rentals assesses and manages cybersecurity risks through a comprehensive program involving regular monitoring, third-party assessments, board oversight, and a structured risk management framework. The key aspects of their approach include:
- Regular Monitoring and Assessments: The IT security team regularly monitors alerts, discusses threat levels, trends, and remediation, and prepares a monthly cyber scorecard. They conduct an annual risk assessment and engage in periodic external penetration tests, red team testing, and maturity testing to assess processes, procedures, and the threat landscape.
- Third-Party Expert Involvement: United Rentals works with third-party experts to review and evaluate procedures, including testing defenses through simulations and drills.
- Audit Committee and Board Oversight: The Audit Committee performs an annual review of the company’s cybersecurity program, including management’s actions to identify and detect threats. The Board receives quarterly cybersecurity reports and annual updates on the Crisis Management Plan, which covers potential cybersecurity incidents.
- Use of NIST Framework: The cybersecurity risk management program leverages the National Institute of Standards and Technology (NIST) framework, organizing cybersecurity risks into five categories: identify, protect, detect, respond, and recover. Key cybersecurity risks are incorporated into the Enterprise Risk Management Council’s framework.
- Policies and Training: United Rentals has a set of company-wide policies and procedures concerning cybersecurity, reviewed and approved by appropriate management members. All employees are required to complete cybersecurity trainings periodically, with additional specialized trainings for certain roles.
- Chief Information Officer’s Role: The Chief Information Officer is responsible for developing and implementing the information security program and reporting on cybersecurity matters to the Board. The team includes members with cybersecurity experience and certifications.
- Recognition of Cybersecurity Risks: United Rentals acknowledges the presence of cybersecurity risks and has experienced threats and breaches, which are managed as part of their overall risk management framework.
In summary, United Rentals’ approach to cybersecurity risk assessment and management involves continuous monitoring, expert involvement, oversight by the Audit Committee and Board, the application of the NIST framework, comprehensive policies and employee training, and dedicated leadership through its Chief Information Officer.
(Note: 10-K Item 1C. Summaries provided by ChatGPT)
Summary
Neither of these cybersecurity programs is significantly unique. For example, it’s great to see both adopting the NIST CSF. Schlumberger, as an international organization, also follows the ISO 27001 framework. However, understandably, both are less sophisticated compared to the Lockheed program.
The ability to quickly contrast these three organizations is a significant change from years before. I’m excited to see what this year’s cybersecurity industry benchmarks and reports will look like from the usual thought leadership groups like Deloitte, Verizon, and Crowdstrike.
Lastly, this also should be a warning for any public company filing right now and may want to strengthen their 10-K Item 1C disclosure. Or worse, forget to include it at all! I’m looking at you, Dutch Oven Gold Group Inc.