In 2023, the Securities and Exchange Commission (SEC) required public companies to include a new section in their 10-K annual filings that is devoted to cybersecurity. This section is meant to address “cybersecurity risk management, strategy, governance and incidents.” I got curious as to what senior cybersecurity executives are conveying about their companies in these reports. I turned this into a research project that also gives me a reason to test out some AI techniques as well.
The article is broken into two sections: My findings regarding Section 1.C for the top 200 companies in the S&P, and the second being my methods used to include some AI tech.
10-K Section 1.C
Some really great analysis of Section 1.C has already been done to include a Harvard Law School study, a PWC study and an International Journal of Accounting Information Systems paper. These were great reads, but both were done over a year ago with the first batch of filings. Also, with the Harvard Law study, they only looked at the top 100 companies. I wanted to see if I could reproduce some of the analysis using this year’s filings, as well as ask some of my own questions, like whether there are any major changes between 2024 and 2025.
Companies are required to disclose governance regarding cybersecurity risks. Key requirements include describing board oversight of cyber risks, the committee responsible and management’s role in assessing and managing material cybersecurity threats. Years of experience are often included.
Similar to the Harvard study, I’ll look at who holds the senior cybersecurity role and their level of experience, who they report to, what part of the board oversees cybersecurity and standards that they are using. Not every company included all these pieces of information, but the bulk of them did. I’ll also look at overall trends between 2024 and 2025.
CISO role top for cybersecurity
The chief information security officer (CISO) continues to be the principal position responsible for cybersecurity, with over 70% of companies reporting CISO as the role responsible for cybersecurity. Numbers for CISO slightly increased from 2024 to 2025, going from 137 to 142. A distant second and third are CIO and CSO. The average years of experience for the role is about 23 years (standard deviation 6 years, 140 companies reported).
CIO remains top senior in a varied field
Chief information officer remains the top person that the cybersecurity official reports to and remained stable between 2024 and 2025 (~49 vs ~48). This is consistent with surveys and other reporting that CIO is the most frequent. I agree with another CSO article that having the position under the CIO is sub-optimal and both inserts conflicts of interest as well as downplays the importance of cybersecurity at the enterprise level. Not saying it can’t work, but there are likely better arrangements. No clear alternative has appeared in either 2024 or 2025 data (see the chart below), and the small relative numbers indicate there is a lot of variety in who the CISO reports to. The CEO, CFO and CTO were other common reporting positions, but none were a clear second. It is also worth noting that for over 50 companies, it wasn’t clear from the 10-K write-ups who the reporting position was.
Derek Dye
Board oversight
Within the Company’s board, the Audit Committee is by far the most common group responsible for cybersecurity, representing 60% of companies. This jumps to about 70% (138 companies), If you include all the variations of Audit to include Audit & Risk, Audit & Finance, etc. Overall, audit numbers remained steady between 2024 and 2025. Distant second and third were the Risk Committee and Board of Directors broadly.
NIST CSF for the win
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) is the most referenced cybersecurity standard, increasing between 2024 and 2025(113 vs 118). The most common other standard being ISO 27001, which also grew between 2024 and 2025 (49 vs 55). Interestingly, System and Organization Controls (SOC) was only mentioned by 17 companies. I find this seemingly low, given the importance of SOC reporting in large public sector companies.
Overall trends
Other interesting observations were what companies listed as their broad efforts as well as disclosures of incidents.
Third-party and supply chain risk management. Acknowledging that external partners and suppliers represent a massive attack vector, multiple companies have instituted rigorous third-party risk management (TPRM) programs. These programs mandate pre-engagement security assessments, continuous monitoring and contractual requirements for vendors to maintain security standards and report breaches promptly. Third-party cybersecurity programs are indispensable in an increasingly interconnected economy and increasing reliance on external tools and services for company processes.
Proactive testing and incident preparedness. Companies are moving past passive defense into proactive and simulated testing. This includes regular penetration testing, vulnerability scanning and engaging independent external auditors or consultants to assess program maturity and test controls. Furthermore, practically all companies maintain formal Incident Response Plans (IRPs) and conduct regular “tabletop exercises” to simulate cyberattacks, ensuring that management, legal and operational teams are prepared to respond to and recover from real-world crises. The devil is in the details on this one. The 10-K is not meant as a detailed technical rundown of company methods, so while it’s good to see, it’s mostly boilerplate language.
Human-centric security defenses. Recognizing that human error is a primary vulnerability, mandatory, enterprise-wide cybersecurity awareness training is a standard requirement. These training programs are frequently supplemented with regular, simulated phishing campaigns to test employee vigilance and provide immediate, targeted feedback or remedial training. This training will need to adapt to the growing sophistication of AI-enabled deep fakes.
Consistent disclosure of “No Material Impact” despite ongoing threats. A ubiquitous trend across the filings is the acknowledgment that while the companies face continuous, sophisticated and evolving cyberattacks, they have not experienced any incidents that have had a material adverse effect on their business strategy, results of operations or financial condition to date. I find this interesting, especially with the Critical Infrastructure//telecoms coming under repeated VOLT/SALT TYPHOON compromises as well as other attacks. Many companies also disclose that they rely on cyber liability insurance to mitigate financial exposure, though they frequently note it may not cover all potential losses. I’ll be doing further research here as there are likely more interesting findings between material impacts, news reporting and formal disclosures.
Artificial intelligence. AI was cited by over 50 companies and is increasingly referenced as a double-edged sword for cybersecurity. Companies are leveraging AI and machine learning to automate threat detection and sort through vast amounts of security data. However, several acknowledged that AI empowers threat actors to execute more sophisticated, high-velocity attacks (e.g. deepfakes, advanced phishing). A further seven companies mentioned the concern of AI and intellectual property disclosures with Prudential and Capital One having the most explicit language on this risk.
Part 2: Data gathering and analysis
This was a very iterative process that increased in complexity as I went through the process and also due to the increased need for accuracy. I used several coding methods and AI tools to do this analysis. At first, I tried to use the big models to do all the work for me, but that quickly failed when they didn’t want to do that level of work! It also became apparent that getting the 10-K filings would take more work than just asking an AI agent.
Enter some vibe coding. I was raised on C, Java and BASH scripting and have avoided using Python until now. Nothing against Python, I just haven’t needed to, and laziness with going with what you already know has won out before. So, this proved a nice additional challenge. Using the datamule Python module and some vibing, I managed to download all the recent 10-Ks for the top 200 companies onto my local machine. From there, I extracted the 1.C sections into a separate file using another Python script. This caused a bit of an issue as there were some differences (~5%) in filings that used a different format, or the cybersecurity write-up was in a different section of the 10-K. About 15 companies put them in the Risk section or elsewhere. I used a second Python script that leveraged the command-line version of Gemini (gemini-cli) to pull this information out.
I then created a database in postgres that would store some of the key findings and allow for some further analysis. To get the data into there, I created a Python script that would run each of the 1.C files through Gemini and Claude using Python API calls.
The use of Gemini API and Anthropic API was the new part that I really wanted to test out, and it proved very interesting. LLMs really shine for condensing and summarizing large texts for meaning. The alternative would be very complex and manually written regular expressions. Using Gemini API and Anthropic API, it took the below prompt and produced a string that I could then plug into the SQL command. Very cool seeing this work. (**Note: I was also thinking of how to do prompt injection, data poisoning and the like with this, but the dataset was small and controlled and this isn’t production code!).
Derek Dye
As a verification step, I then wrote another script that found all database entry differences between Gemini and Claude answers and ran the original 1.C section through Gemini again and told it to pick which answer was better. This changed about 10-30% of the entries, depending on the field. Additional analysis was done in Google Sheets and Google NotebookLM.
With this, I created a basic AI-enabled workflow. It wasn’t agentic, but that would be interesting to create an automated version of this. This project showed some of the productivity potential of AI by allowing me to do very detailed research in about 15-20 hours of work, which would have taken at least twice as long by hand. It also highlighted the continued issue with accuracy where accuracy is needed. The bulk of the 15-20 hours was spent doing verification and refinement to make sure the AI answers were correct.
The total cost in tokens for development, debugging, and running was around $15, not expensive, but not something I’d likely develop for every project I have. The bulk of that cost came with the refinement and the addition of additional verification checks to ensure the data was correct. Next projects might try to do this on my local computer using a local LLM like llama3 using ollama or maybe an agent that allows queries to the dataset this project created.
GEMINI_PROMPT = “””
Analyze this SEC 10-K document and extract the following cybersecurity information.
Return the response strictly as a JSON object with these exact keys:
{
“senior_cyber”: “Name or title of the senior person responsible for cybersecurity. Provide a one word response either CISO, CTO, CSO, CIO, or position title.”,
“report_to”: “Title or name of who the senior cybersecurity person reports to. one word response either CEO,
CTO, CSO, CIO, position title, or unknown. “,
“board”: “The board committee overseeing cybersecurity Provide a 1-3 word answer. “,
“standards”: “The cybersecurity standards/frameworks used use provide 5-7 word answer. If unknown, state unknown. use acronyms if available (e.g., NIST, NIST CSF, NIST CSF 2.0, ISO 27001)”,
“years_of_experience”: integer representing years of experience (use 0 if unknown)
}
“””
MODEL_ID = ‘gemini-2.5-flash’
——-
# 6. Update PostgreSQL
upsert_query = “””
INSERT INTO company_cyber_filings_v1_4 (ticker, filing_date, senior_cyber, reports_to, board, st
andards, years_of_experience)
VALUES (%s, %s, %s,%s,%s,%s,%s)
ON CONFLICT (ticker, filing_date)
DO UPDATE SET
senior_cyber = EXCLUDED.senior_cyber,
reports_to = EXCLUDED.reports_to,
board = EXCLUDED.board,
standards = EXCLUDED.standards,
years_of_experience = EXCLUDED.years_of_experience;
“””
# 4. Upload file
formatted_date = f”{year}-{month}-{day}” # Formatted for standard SQL DATE
cursor.execute(upsert_query, (
prefix,
formatted_date,
gemini_data.get(“senior_cyber”),
gemini_data.get(“report_to”),
gemini_data.get(“board”),
gemini_data.get(“standards”),
gemini_data.get(“years_of_experience”)
))
cursor.execute(upsert_query, (prefix,f”{year}{month}{day}”))
conn.commit()
print(f” -> Saved to database.”)
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses