News + Resources

Industry news, Astaara press releases & maritime cyber risk resources

Friday, September 22, 2023
Cyber risk management reporting in annual statements: plagiarism, ignorance or inevitable?  

One of the requirements recently put forward by the SEC (Securities and Exchange Commission) in its revised guidance for reporting on cyber risk by registrant companies in their annual reports is for the reduction of “boilerplate” text.  This might not be as easy as you think. 

Annual reports are published to give shareholders as good a view as possible of the performance of the companies in which they invest, and to enable those investors to understand the risks to their capital so that they have as much information as possible on which to base their investment decisions.  These are published via the SEC as 10-k reports.  Foreign companies are required to submit a 20-f. 

The SEC is seeking better to organise company reporting on its cyber risk management approach, brigading key statements into a separate section, rather than spreading commentary around the various parts of the 10-k. 

This change takes place with effect from 15 December 2023, thereby requiring all companies with a 31 December year-end to include the new section in their 10k reports. 

This does not allow much time. And for the companies whose reports we have reviewed, this could be a struggle. 


Previous research has shown us that many companies recycle text year on year in their annual reports.  In this instance we wanted to establish whether companies were borrowing text from their analogues (or had been borrowed from), given the SEC’s explicit wish to avoid ‘boiler plate’. We reviewed the reporting of 32 marine companies listed on NYSE. We looked at five key areas of text: 

– IMO rules 

– GDPR rules 

– Russia/Ukraine 

– SEC rule changes 

– Generic cyber risk commentary 

In our analysis, we found: 

  • 19 companies had largely similar text on cyber risk;  
  • 15 companies appear to have shared the pen on Ukraine;  
  • 11 companies had very similar text on IMO Cyber requirements;  
  • 3 companies expressed identical views of SEC rule changes; and 
  • 5 companies shared two variants of text on GDPR 

The SEC wants companies to set out how they identify, detect and monitor threats to their cyber systems; they want to understand the process whereby companies decide breaches material: and they would like to see evidence of organisational changes to support the board in their execution of their fiduciary duty to protect the assets of the business. 

  • Since the board of directors ultimately sign the 10-k, they have a keen self interest in ensuring that the contents are defensible, true and proportionate. But they will not necessarily have the inclination to check that what they’re saying qualitatively differs from competition. However, investors might choose to widen their research and on doing so may find that the industry is not representing itself as well as it might. 
  • Companies have got a lot to do to persuade their shareholders, regulators and stakeholders that they have a cyber problem managed. They need to be able to reassure their stakeholders that they understand the size, scale and complexity of the problem whilst not promising infallibility. Companies know that shareholders punish companies for breaches if the narrative is not properly controlled. 
  • There is lots to do to educate boards in recognising that a competent approach to cybersecurity can be a business enabler and a source of competitive advantage.  Companies also need to take a comprehensive approach to cyber security to be able to provide good evidence that all reasonable steps are being taken to protect the interests of the shareholders. This does not mean revealing data which could provide help to an attacker; rather it means evidence available to share with interested parties should there have been an incident. 
  • It could be argued that the closeness of the text between the companies demonstrated their identical views on the cyber threat. But the copying and reuse of text, even if the sentences are moved around within sections, is extensive. 

These companies have been sharing / borrowing text liberally from each other. But while the words tell the reader of good things, their extensive repetition can hardly promote investor confidence. And for those companies whose year ends on December 31st, there is not much time to change.  
As ever, please contact us if you would like to discuss things further. #astaaracyber 

  • William Egerton
    Chief Cyber Officer