- Material Incidents
- Posts
- [Material-Incidents] No. 10
[Material-Incidents] No. 10
Nation state threats
Hey everyone,
Back after a couple of weeks off. I’ve been working on a larger analysis that has been taking a bit longer than initially expected, I’m hoping to have an update on that sometime over the next week or two, stay tuned! In the meantime, I was thinking about a newsletter a couple of weeks back on companies that believe they don’t face any cybersecurity risk. This got me thinking about the other end of the spectrum: companies that believe they’re facing extreme security risk. There isn’t a perfect proxy for determining a companies perceived level of risk when looking at 10Ks, outside of ‘we don’t face any cybersecurity risk’. I decided to focus on companies that reference ‘nation state’ or ‘nation-state’ actors in their 10K filings. This isn’t a perfect indicator of perceived risk but mentioning it in your annual 10K likely means your company believes the threat is real. Let’s take a look at the data:
To date there’s been ~4500 10K filings with an Item 1C. Currently, there are 41 filings that mention a ‘nation-state’ or ‘nation state’ risk to their company. Slightly less than 1% of all companies who have made a filing are self reporting a nation state risk 🤔
Filings that mention a nation state threat by sector
No surprise the technology sector is leading the pack with ten mentions of nation state threats, with the industrial sector falling close behind with nine. The sectors paint a high level picture, but diving into specific industries (see below) you can see Aerospace and Defense companies actually have the highest perceived nation state risk followed by software infrastructure.
I only graphed industries that contained more than one entry, there were 22 additional unique industries that I’ve attached as an addendum table at the bottom of this post.
Filings that mention a nation state threat by sector and industry
Looking at this data from a high level, I’m not really surprised with the distribution of this perceived threat. I expect most of our defense companies are constantly probed and attacked along with our leading software companies. I also imagine the 1% is lower than what’s actually happening, as some companies are unlikely to report this level of risk and/or may not even be aware of the threat. It will be interesting to follow how the distribution of companies self reporting evolves over time.
Got any security-related questions? Send them my way, and I’ll share my thoughts in a future newsletter.
Have a great weekend!
Matt
Addendum:
Industry | |
Aerospace & Defense | 5 |
Software - Infrastructure | 4 |
Banks - Regional | 4 |
Software - Application | 2 |
Oil & Gas Equipment & Services | 2 |
Utilities - Regulated Electric | 2 |
Information Technology Services | 1 |
Utilities - Diversified | 1 |
Real Estate - Diversified | 1 |
Telecom Services | 1 |
Engineering & Construction | 1 |
Utilities - Regulated Gas | 1 |
Drug Manufacturers - General | 1 |
Integrated Freight & Logistics | 1 |
Computer Hardware | 1 |
Marine Shipping | 1 |
Biotechnology | 1 |
Oil & Gas E&P | 1 |
Semiconductor Equipment & Materials | 1 |
Airlines | 1 |
Medical Care Facilities | 1 |
Steel | 1 |
Semiconductors | 1 |
Packaging & Containers | 1 |
Lodging | 1 |
Credit Services | 1 |
Building Products & Equipment | 1 |
Diagnostics & Research | 1 |