Skip to main content

When Leadership Says “Keep Us Safe”: Finding Cyber Risk Tolerance in the 10-K

 One of the most common questions cybersecurity professionals ask executive leadership is:

“What is the organization’s risk tolerance when it comes to cyber risk?”

And one of the most common answers they get back is:

“Keep us safe.”

“Don’t let a breach happen.”

While well-intended, these answers don’t actually define risk tolerance. No organization can be perfectly safe, and “no breaches ever” isn’t a strategy—it’s a hope. When leadership can’t (or won’t) clearly articulate cyber risk tolerance, you need to look elsewhere for clues.

One of the most useful—and often overlooked—places to find them is the company’s 10-K report.


Why Risk Tolerance Matters


Risk tolerance drives real decisions:

  • How much downtime is acceptable?
  • How much data exposure is tolerable?
  • How much money should be spent on security controls?
  • Which risks are accepted versus mitigated?

Without understanding leadership’s tolerance, security teams either over-invest (creating friction and wasted spend) or under-protect (creating unacceptable exposure).


The 10-K: Executive Risk Thinking, in Writing


A public company’s 10-K is an annual filing that details financial performance, business operations, and—most importantly for security leaders—risk factors. These disclosures are reviewed by legal teams and executive leadership, which means they reflect what leadership is willing to formally acknowledge as material risk.

When you read the 10-K, focus on:

  • Risk Factors section
  • Management’s Discussion and Analysis (MD&A)
  • Any section referencing cybersecurity, data breaches, operational disruption, or regulatory exposure

Pay attention to:

  • How strongly cyber risk is worded
  • Whether breaches or data loss are explicitly mentioned
Labels:

Popular posts from this blog

Generative AI Governance: Using the NIST Framework to Build Trust, Reduce Risk, and Lead Secure AI Adoption

Generative AI has moved faster than nearly any technology security leaders have dealt with. Tools that can generate text, code, images, and data insights are now embedded into productivity platforms, security tooling, development workflows, and business operations—often before security teams are formally involved. For CISOs, this creates a familiar but amplified challenge: innovation is happening faster than governance, and unmanaged generative AI introduces material risk across confidentiality, integrity, availability, compliance, and trust. For aspiring information security professionals, AI governance represents a growing and valuable discipline where strategic thinking matters just as much as technical depth. The good news? We don’t need to invent governance from scratch. NIST’s AI Risk Management Framework (AI RMF) provides a practical, flexible structure that security leaders can use today to govern generative AI responsibly and defensibly. Why Generative AI Governance Matt...
Read more

NIST CSF 2.0 – Identify Function Deep Dive: Asset Management (ID.AM)

If you ask most CISOs where breaches really start, the answer is rarely “lack of tools.” It’s almost always lack of clarity . You cannot protect what you do not know exists. That is why Asset Management (ID.AM) sits at the foundation of the NIST Cybersecurity Framework (CSF) 2.0 Identify function. Every control, risk decision, investment, and response capability depends on accurate, current, and business-aligned asset visibility. In NIST CSF 2.0, Asset Management is no longer treated as an inventory exercise—it is framed as a risk-enabling capability that supports governance, threat modeling, resilience, and mission outcomes. This post breaks down: What ID.AM actually is in CSF 2.0 How to implement it pragmatically in a real enterprise Metrics CISOs and boards can use to measure effectiveness (not just activity) What Is NIST CSF 2.0 Asset Management (ID.AM)? ID.AM ensures that organizational assets—physical, digital, cloud-based, third-party, and data-centric—are identified, mana...
Read more