By CIOReview | Tuesday, November 19, 2024

FREMONT, CA: HALOCK Security Labs and its sister company, Reasonable Risk, recently published a survey report finding that language in the SEC's new cybersecurity regulations appears to be perplexing executives at publicly traded companies. As a result, many 10-K forms now make implausible statements that companies do not anticipate the probability of cybersecurity disasters having meaningful consequences. Early 10-K filers also indicate higher confidence in cybersecurity programs than executives describe anonymously.

The SEC's new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule compels public companies to disclose how they manage cybersecurity risk in Item 1C of their 10-K filings. To complicate matters, they must employ simple language that sensible investors may grasp. The SEC's Final Rule also implies that clarity and transparency in cybersecurity risk management would be rewarded with enhanced investor trust, promoting transparency and risk management.

"We are finding that non-technical executives typically do not receive the information they need to make informed decisions to prioritize cybersecurity initiatives and approve resources. Not having the right information makes properly informing the Leadership Team and outside investors very difficult." – Jim Mirochnik, CEO, Reasonable Risk LLC.

HALOCK's Annual 10-K Survey tracks how public companies' disclosures about their cybersecurity plans evolve over time. It will conduct a qualitative and quantitative evaluation of public filings to determine whether "clarity and transparency" improve. According to the initial 2024 survey report, evidence from early 10-K filings reveals that most companies conflate compliance standards with risk management. This shows that their risk and governance initiatives are based on control compliance rather than risk, which is the primary focus of the new rule.

"It is implausible that so many companies conducted risk assessments and found no potentially material risks. It seems that Executives were so concerned about getting their first filings wrong that they adhered too closely to the Final Rule and repeated the SEC's error." – Chris Cronin, the Report's Lead Editor."  - Chris Cronin, the Report's Lead Editor.