[Material-Incidents] No. 8

Immune to cybersecurity risk

Hey everyone,

A slow week for material-incident filings but an exciting week for the security industry with the RSA conference starting this Monday. I unfortunately didn’t make it this year but am lucky enough to work with a presenter. Shoutout to Ads Dawson who is on the OWASP LLM Top 10 Core Team and spoke on a panel discussing red teaming to secure LLM applications and the potential of generative AI to enhance cybersecurity. What a cool opportunity to share his expertise at the largest security conference running!

A couple of weeks ago, I ran a sentiment analysis on all 10K (cybersecurity strategy disclosure) filings to date. There have been a few hundred new filings since then, and as I was reading through a few, one took me a aback:

“we do not consider that we face significant cybersecurity risk and have not adopted any cybersecurity risk management program”

This is a callout in a the company’s 10K, Item 1C for disclosing their cybersecurity strategy to investors. I’ve never had to file a 10K or any other documents with the SEC, but if I were tasked with describing how my company was handling security risk, ignoring it wouldn’t be my approach. My interest was piqued, so I started searching to understand if this was a one-off. Using the snippet above, I searched the Material-Incidents index, and there were 29 filings containing the exact same phrase! Many of these are shell or blank check companies but there are several that have legitimate business operations ranging from pharmaceutical research to consumer goods. I don’t believe this was the SEC’s original intent with Item 1C but we’ll see if this evolves over time. I plan on doing a deep dive into this topic over the coming weeks, so stay tuned if you’re in cyber sales & looking for biz dev opportunities.

This Week’s Filing

Brandywine Realty Trust 8K, May 7, 2024
The company determined a third party had gained unauthorized access to its environment on May 1st. This 3rd party access lead to a service disruption for the company due to the ‘deployment of encryption’ by the actor, AKA ransomware. The company believes the incident has been contained but is still working to bring some of its systems back online. Based on the information known to date, some data was exfiltrated from the company but the type and extent of that data is not known. Brandywine is evaluating what, if any, regulatory or legal notifications may be required.

Thanks for reading!
Matt