Hey Everyone,

A bit of an uptick in filings this week with two new companies filing their first 8Ks (Orasure, Frontier Communications). If you managed to catch last week’s newsletter, I dove into 10K filings for companies that recently had a material incident filing. This week, I’ve gone step further and run an analysis on all 10K filings to date that contain an Item 1C (Cybersecurity Risk Management and strategy). Of the six thousand+ 10Ks and addendums filed since December, approximately three thousand filings include the new Item 1C. I’ve categorized the filings by sentiment (positive, neutral, negative). Filings with positive sentiment generally reference specific controls, risk frameworks and leadership details for their security programs. Neutral and negative filing sentiments are vague or general about what their risk management strategy is, sometimes even calling out specific shortcomings in their strategies. As you can see below, most companies have a positive sentiment associated with their 1C’s:

One interesting trend is the negative sentiment associated with shell companies’ filings. Many of these are ‘blank check’ or ‘SPAC’ companies. These filings essentially allude to a lack of general interest in security and controls. You can filter the 10Ks and see some examples here. Friends in security sales: potential biz dev opportunity? 🤔 

This Week’s Filings

Orasure Technologies Inc 8K, April 12, 2024
The company became aware of a third party who gained unauthorized access to certain company systems. The company initiated an incident response plan brought in external counsel and notified law enforcement. Orasure has contained the incident but is still investigating the impact. It’s currently unclear which data may have been accessed from their systems.

Frontier Communications Parent, Inc. 8K, April 18, 2024
The company detected a third party had gained unauthorized access to portions of their environment. Part of containment measures included shutting down certain business systems, resulting in a service disruption. The company’s investigation concluded a cybercrime group (no names mentioned) is likely responsible. The group responsible had access to company information PII. Frontier has notified law enforcement of the breach.

Thanks for reading this week. Questions/feedback? Reply to this email, I’d be happy to chat!

Matt