DragonGC is a legal intelligence platform leveraging comprehensive ‘Authoritative Intelligence’ to offer curated, verified, and original sources. Our mission is to simplify compliance for public company legal teams.

We tackle information overload by precisely pinpointing the source material necessary to address important financial disclosure inquiries. Additionally, we furnish topic summaries, precedents, and examples of public company disclosures. Our goal is to empower teams in crafting relevant shareholder communications effortlessly.

Many prominent companies have already filed their 2023 10Ks. These early 10-K filers provide insight into disclosures about Cybersecurity required by new S-K Item 106.

DragonGC’s dragonFind identified the early filers listed below and has linked to the specific cybersecurity disclosures included in their recently filed 10-Ks:

DragonGC analyzed these early filers’ disclosures and has identified several trends across the filings. Please read on for our summary of cybersecurity 10-k disclosures.

Risk Management and Strategy

Comparing and contrasting the risk management & strategy policies from the referenced company filings reveals a variety of approaches, frameworks, and focus areas across the companies:

Framework and Standards Alignment:

• Advanced Micro Devices, CNA Financial, General Electric, Mondelez, Netflix, Norfolk Southern, Omnicom, Sirius XM, US Steel, and Tesla explicitly mention utilizing the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), with some also integrating ISO 27001, an information security standard created by the International Organization for Standardization (ISO). This highlights a common trend towards adopting industry-standard frameworks for structuring their cybersecurity programs.
• Otis and RTX describe managing material risks and implementing cybersecurity policies without specifying adherence to NIST CSF or ISO 27001, suggesting a customized approach to cybersecurity based on operational risks, intellectual property theft, and compliance with privacy laws.

Comprehensive Cybersecurity Management:

• Baker Hughes and Halliburton emphasize a comprehensive cybersecurity management program, with Baker Hughes operating a Cyber Fusion Center for continuous threat monitoring and Halliburton integrating risk analysis into their enterprise risk management program.
• Amazon and Fastenal focus on protecting data through processes that reduce the impact of security incidents, including security assessments, vulnerability management, and penetration testing.

Investment in Cybersecurity Programs:

• Charter Communication and Southwest Airlines mention investing in developing and implementing cybersecurity programs, with Charter Communication focusing on advanced detection, prevention, and protection capabilities, and Southwest integrating cybersecurity risks into its Enterprise Risk Management (ERM) program.

Executive Management and Oversight:

• Carrier Global Corporation and Ford Motor mention that their cybersecurity programs are managed by senior executives, indicating a top-down approach to cybersecurity risk management.
• Dow and T-Mobile integrate cybersecurity risk management into the company’s overall enterprise risk management process, emphasizing the integration of cybersecurity into broader organizational risk management.

Unique Approaches and Focus Areas:

• Meta acknowledges the specific challenges they face due to their scale and the nature of their industry, highlighting the regular experience of cybersecurity incidents and the need for a robust risk management effort.
• Otis outlines a multifaceted approach to managing cybersecurity threats, including training programs, phishing simulations, and cybersecurity insurance, suggesting a layered strategy to risk management.

Incident Response and Continuous Monitoring:

• GE Healthcare and RTX focus on identifying and mitigating cybersecurity risks with specific mention of incident response processes, indicating an emphasis on preparedness and rapid response to incidents.

Enterprise Risk Management Integration:

• Comcast, Southwest Airlines, and US Steel highlight the integration of cybersecurity risks into their broader Enterprise Risk Management (ERM) programs, demonstrating an approach that aligns cybersecurity risk management with overall business objectives.

Findings:

• The majority of companies align with established frameworks like NIST CSF, indicating a preference for leveraging industry best practices in cybersecurity risk management.
• Companies like Baker Hughes and Halliburton demonstrate an advanced approach with dedicated centers and comprehensive programs for continuous monitoring and threat analysis.
• Investment in cybersecurity capabilities and integration with enterprise risk management are common themes, suggesting that companies recognize the importance of cybersecurity to their overall risk posture.
• Unique challenges and strategies, as highlighted by Meta and Otis, reflect the diverse nature of cybersecurity risks across different industries and the tailored approaches companies adopt to address these risks.

In summary, while there is a strong trend towards adopting standardized frameworks like NIST CSF, companies also exhibit unique strategies and focus areas in their cybersecurity risk management and strategy policies. This reflects the diverse cybersecurity landscapes they operate in and their specific business needs.

Governance

The governance policies related to cybersecurity across these companies exhibit both similarities in structure and distinct differences in oversight approaches and delegation of responsibilities. Here’s an analysis of these disclosures:

Oversight Structure:

• Audit Committee Involvement: Many companies, such as Advanced Micro Devices, Baker Hughes, CNA Financial, Comcast, GE Healthcare, GE, Halliburton, Meta, Mondelez, Norfolk Southern, Omnicom, Otis, RTX, Sirius, Southwest Airlines, Tesla, T-Mobile, and US Steel, delegate cybersecurity oversight to the Audit Committee, reflecting a common governance practice to ensure cybersecurity risks are regularly reviewed and managed.
• Dedicated Committees for Cybersecurity: RTX mentions a Special Activities Committee for overseeing classified business cybersecurity, indicating a specialized oversight structure for specific cybersecurity domains.

Executive Leadership and Reporting:

• Chief Information Security Officer (CISO) Role: Companies like Amazon, Baker Hughes, Charter Communication, CNA, Ford Motor, GE, Netflix, Norfolk Southern, Sirius, and Southwest Airlines highlight the role of the CISO in leading cybersecurity strategies and reporting to higher governance bodies, emphasizing the importance of cybersecurity expertise at the executive level.
• Centralized vs. Collaborative Leadership: Amazon describes a unified team approach led by the chief security officer, contrasting with Carrier Global Corporation where cybersecurity programs are owned by the Chief Information Officer (CIO) with oversight from multiple officers (CISO and Chief Product Security Officer), suggesting different models of leadership and accountability.

Board Engagement and Risk Management:

• Board-Level Oversight: Almost all companies acknowledge board-level oversight of cybersecurity risks, with Boeing, Carrier Global Corporation, Fastenal, Ford Motor, and Tesla specifically mentioning the board’s overall responsibility for risk oversight, including cybersecurity.
• Specific Oversight Committees: Meta has a dual-committee approach with an Audit & Risk Oversight Committee and a Privacy Committee, highlighting a structured governance model that addresses both cybersecurity and privacy risks distinctly.

Reporting and Assessment:

• Regular Reporting to Governance Bodies: Fastenal, Ford Motor, GE Healthcare, GE, Meta, Mondelez, Norfolk Southern, Otis, Sirius, Tesla, and US Steel mention regular reporting mechanisms to the Audit Committee or board, ensuring ongoing awareness and management of cybersecurity risks.
• Annual Reviews and Strategic Planning: Sirius and Southwest Airlines discuss annual reviews of the information security policy and strategic technology plans, indicating a strategic approach to cybersecurity governance.

Distinctive Approaches:

• Cyber Fusion Center: Baker Hughes operates a Cyber Fusion Center for monitoring threats, a unique operational component within its governance structure for real-time threat intelligence and response.
• Certifications and Training: Otis specifically mentions board members holding cybersecurity oversight certifications and key personnel having relevant degrees and certifications, emphasizing the importance of expertise and continuous learning in their governance policy.

Comparative Insights:

• The majority of companies rely on their Audit Committees for cybersecurity oversight, indicating a trend toward integrating cybersecurity into broader corporate governance and risk management frameworks.
• The role of the CISO is central across many policies, with variations in reporting structures and executive involvement reflecting different organizational priorities and risk management cultures.
• Unique governance structures, such as RTX’s Special Activities Committee and Meta’s dual-committee approach, demonstrate tailored governance models designed to address specific cybersecurity and privacy concerns.
• Regular and strategic reporting to governance bodies is a common theme, emphasizing the importance of continuous oversight, strategic alignment, and adaptability in managing cybersecurity risks.

In summary, while the foundation of cybersecurity governance across these companies shares common elements such as Audit Committee oversight and executive leadership through CISOs, the specific structures, reporting mechanisms, and approaches to risk management exhibit a range of practices tailored to each company’s operational needs and strategic objectives.

Incident Management

The incident management policies of these companies reveal a range of strategies for preparing for, responding to, and recovering from cybersecurity incidents. Here’s a closer look at these companies’ disclosures in Incident Response Plan (IRP) Implementation:

Incident Response Plan (IRP) Implementation:

• Commonality: All companies have established a Cybersecurity Incident Response Plan (IRP) or similar frameworks to guide their response to cybersecurity incidents. This is a universal practice across the board, emphasizing the importance of preparedness in cybersecurity governance.
• Specificity in Execution: Boeing conducts ‘tabletop’ exercises to simulate incidents, Dow and Southwest Airlines engage in cyber crisis response simulations, and Otis conducts regular tabletop exercises, phishing email simulations, and internal audits, indicating a proactive approach to identifying potential areas for improvement.

Reporting and Escalation Processes:

• Quarterly and Regular Reporting: Advanced Micro Devices, Amazon, Baker Hughes, Carrier Global, Fastenal, Ford Motor, Halliburton, Meta, Mondelez, Netflix, Norfolk Southern, Omnicom, RTX, Sirius, and Tesla mention regular or quarterly reporting to the Board or specific committees, highlighting an emphasis on continuous oversight and management awareness.
• Critical Incident Escalation: Carrier Global mentions escalation to the Critical Threat Committee, while Charter Communication, CNA Financial, and US Steel outline specific internal notification and escalation processes for managing cybersecurity incidents, demonstrating the importance of swift action and decision-making in response to critical threats.

Engagement with Third Parties:

• Consultation and Assessment: GE Healthcare engages assessors, consultants, and auditors to review its cybersecurity program, and Halliburton also engages third-party firms for risk assessments, indicating an openness to external expertise in strengthening incident response capabilities.
• Vendor Relationship for Incident Response: Fastenal maintains a qualified third-party vendor relationship for on-demand incident response, showcasing an external support mechanism for enhancing their incident management capabilities.

Oversight and Leadership:

• Leadership Involvement: Meta’s CISO, Guy Rosen, leads the cybersecurity program and oversees security functions across the company, indicating a centralized leadership model. In contrast, Ford Motor and GE involve multiple executive roles (Chief Enterprise Technology Officer, General Counsel, Global CISO) in managing incidents, reflecting a more distributed leadership structure.
• Board and Committee Oversight: T-Mobile and US Steel highlight the role of their Board of Directors and Audit Committee in overseeing cybersecurity incident management, underscoring the strategic importance of cybersecurity at the governance level.

Continuous Improvement and Training:

• Simulations and Drills: Norfolk Southern and Sirius conduct regular tabletop exercises and simulations to ensure adherence to their IRP and improve preparedness. Tesla outlines a comprehensive incident response process that includes post-incident analysis for continuous improvement.
• Awareness and Training Programs: Sirius mentions a security awareness program that includes mandatory training for all employees, indicating an investment in human capital as a critical component of their incident management policy.

Unique Approaches:

• Legal and Compliance Considerations: Carrier Global carefully considers disclosure obligations under applicable securities laws for material cybersecurity incidents, highlighting the intersection of cybersecurity incident management with legal and regulatory compliance.
• Public and Customer Notification: Charter Communication sets standards for external notification considerations, addressing the importance of transparency and communication with stakeholders in the event of a cybersecurity incident.

Findings:

• While all companies emphasize the development and implementation of IRPs, the degree of detail, reporting mechanisms, and engagement with third parties vary, reflecting differences in organizational structure, risk appetite, and regulatory environments.
• Regular simulations, exercises, and engagement with external assessors or consultants are common strategies for testing the effectiveness of incident response plans and identifying areas for improvement.
• Leadership involvement in incident management varies, with some companies centralizing this role in the hands of a CISO or equivalent, while others distribute responsibilities across several executives, indicating different approaches to managing cybersecurity risks.
• Reporting to and oversight by the Board of Directors or specific committees is a universal theme, underscoring the recognition of cybersecurity as a critical governance issue.

These companies demonstrate a commitment to preparedness, continuous improvement, and governance oversight in their incident management policies. The varied approaches to leadership involvement, third-party engagement, and simulations reflect tailored strategies to meet unique organizational needs and cybersecurity challenges.

Assessing Impacts

The companies’ policies on managing cybersecurity risks highlight varied approaches to risk identification, management practices, and the potential impact of cybersecurity incidents on their operations. Here’s a comparative analysis:

Risk Identification and Assessment:

• Common Approach: Most companies, including Amazon, Baker Hughes, Boeing, Carrier Global Corporation, and Netflix, integrate cybersecurity risk management into their overall Enterprise Risk Management (ERM) process, emphasizing continuous monitoring and regular risk assessments.
• Unique Strategies: Boeing focuses on vulnerabilities and potential attack vectors specific to company systems and aerospace products, while Norfolk Southern outlines specific consequences of cybersecurity threats, such as service disruptions and safety failures, indicating a more detailed approach to risk identification related to their industry.

Incident Response and Mitigation:

• Incident Response Plans: All companies mention having a cybersecurity incident response plan or similar frameworks in place. Otis and RTX, for example, detail processes, technologies, and controls employed, including Security Operations Centers and vulnerability management.
• Third-Party Engagement and Audits: Comcast, CVS, and Mondelez engage assessors, consultants, and third parties for regular security audits and risk assessments, whereas T-Mobile specifically mentions engaging top-tier external cybersecurity firms to enhance their program.

Reporting and Communication:

• Board and Committee Reporting: Advanced Micro Devices, Baker Hughes, and Halliburton provide regular or quarterly updates to their Board of Directors on cybersecurity metrics and incidents, emphasizing governance oversight.
• External Disclosure Considerations: Carrier Global Corporation discusses considering disclosure obligations under applicable securities laws for material cybersecurity incidents, highlighting the legal and regulatory aspects of incident management.

Training and Awareness:

• Employee Training Programs: Comcast and T-Mobile mention cybersecurity training for employees and vendors as part of their program, indicating an emphasis on human factors in cybersecurity risk management.
• Comprehensive Training and Simulations: Baker Hughes includes cybersecurity training in their annual employee training program, and Otis conducts regular phishing email simulations and tabletop exercises, showcasing a multifaceted approach to enhancing cybersecurity awareness and preparedness.

Potential Impact and Materiality:

• Acknowledgment of Ongoing Risks: Advanced Micro Devices, Dow, and Fastenal acknowledge the ongoing risks from cybersecurity threats and the potential for material impact on their operations and financial condition, reflecting a cautious outlook towards the evolving nature of cyber threats.
• Specific Incidents and Mitigation Efforts: Southwest Airlines mentions having experienced cyberattacks in the past but mitigated them through preventive measures, while T-Mobile references specific cybersecurity incidents that resulted in lawsuits, indicating transparency about past challenges and responses.

Findings:

• While all companies recognize the importance of cybersecurity risk management within their overall risk management frameworks, the extent of detail in their policies, the involvement of third parties, and the mechanisms for reporting and governance oversight vary.
• The integration of cybersecurity training and awareness programs across most companies highlights a universal recognition of the critical role that employees and vendors play in maintaining cybersecurity.
• The specific mention of past incidents, potential impacts, and materiality of cybersecurity threats by some companies provides insights into how these organizations perceive and communicate the risks associated with cybersecurity to their stakeholders.

In summary, these companies demonstrate a commitment to identifying, assessing, and managing cybersecurity risks through comprehensive risk management processes, incident response plans, employee training, and governance oversight. The detailed approaches to risk assessment, third-party engagement, and reporting mechanisms reflect their unique operational needs and strategic priorities in the context of cybersecurity.

As more and more cybersecurity disclosures are filed, DragonGC expects the disclosures will become increasingly similar, incorporating best practices broadly with particular areas highlighted to reflect nuances across industries.