One of the most common questions cybersecurity professionals ask executive leadership is:
“What is the organization’s risk tolerance when it comes to cyber risk?”
And one of the most common answers they get back is:
“Keep us safe.”
“Don’t let a breach happen.”
While well-intended, these answers don’t actually define risk tolerance. No organization can be perfectly safe, and “no breaches ever” isn’t a strategy—it’s a hope. When leadership can’t (or won’t) clearly articulate cyber risk tolerance, you need to look elsewhere for clues.
One of the most useful—and often overlooked—places to find them is the company’s 10-K report.
Why Risk Tolerance Matters
Risk tolerance drives real decisions:
- How much downtime is acceptable?
- How much data exposure is tolerable?
- How much money should be spent on security controls?
- Which risks are accepted versus mitigated?
Without understanding leadership’s tolerance, security teams either over-invest (creating friction and wasted spend) or under-protect (creating unacceptable exposure).
The 10-K: Executive Risk Thinking, in Writing
A public company’s 10-K is an annual filing that details financial performance, business operations, and—most importantly for security leaders—risk factors. These disclosures are reviewed by legal teams and executive leadership, which means they reflect what leadership is willing to formally acknowledge as material risk.
When you read the 10-K, focus on:
- Risk Factors section
- Management’s Discussion and Analysis (MD&A)
- Any section referencing cybersecurity, data breaches, operational disruption, or regulatory exposure
Pay attention to:
- How strongly cyber risk is worded
- Whether breaches or data loss are explicitly mentioned
No comments:
Post a Comment