One of the most common questions cybersecurity professionals ask executive leadership is: “What is the organization’s risk tolerance when it comes to cyber risk?” And one of the most common answers they get back is: “Keep us safe.” “Don’t let a breach happen.” While well-intended, these answers don’t actually define risk tolerance. No organization can be perfectly safe, and “no breaches ever” isn’t a strategy—it’s a hope. When leadership can’t (or won’t) clearly articulate cyber risk tolerance, you need to look elsewhere for clues. One of the most useful—and often overlooked—places to find them is the company’s 10-K report. Why Risk Tolerance Matters Risk tolerance drives real decisions: How much downtime is acceptable? How much data exposure is tolerable? How much money should be spent on security controls? Which risks are accepted versus mitigated? Without understanding leadership’s tolerance, security teams either over-invest (creating friction and wasted spend) or under-prote...