ThreatNG Security

View Original

Human Capital Management (SEC 10-K)

The Human Capital Management (HCM) section in a 10-K filing is a relatively new disclosure requirement by the SEC. It's optional for all companies, but some include it to provide transparency about managing their workforce.

Here's a breakdown of what might be included in the HCM section of a 10-K filing (if present):

  • Workforce Composition: The company might disclose the number of employees, broken down by categories like location, job type, or full-time/part-time status.

  • Human Capital Strategy: The filing may outline the company's approach to attracting, developing, and retaining talent. It could include investment in training programs, diversity and inclusion initiatives, or work-life balance initiatives.

  • Human Capital Metrics: Some companies might include quantitative metrics related to their human capital management, such as employee turnover rates, rates of promotion from within, or employee satisfaction scores.

Why do Companies Include a Human Capital Management Section?

While not mandatory, companies may choose to include an HCM section for several reasons:

  • Highlighting Investment in People: A company's commitment to its personnel can be demonstrated by a well-defined human capital strategy, which can give it a competitive edge in luring and keeping top talent.

  • Enhancing Investor Confidence: Transparency about how a company manages its human capital can build investor confidence in its long-term sustainability.

  • Meeting Stakeholder Interest: Environmental, social, and governance (ESG) considerations are gaining the attention of stakeholders and investors alike, and human capital management is a crucial part of ESG.

What to Consider When Reviewing a Human Capital Management Section:

While the specific content of the HCM section will vary depending on the company, here are some things to consider when reviewing it:

  • Alignment with Strategy: Does the human capital strategy align with the company's overall business strategy and talent needs?

  • Focus on Metrics: Does the company use quantitative metrics to track the effectiveness of its human capital programs?

  • Investment in Training and Development: Does the business fund employee training and development programs to retrain and upskill its staff?

By including a Human Capital Management section in their 10-K filings, companies can demonstrate their commitment to a skilled and engaged workforce, potentially enhancing investor confidence and their employer brand.

ThreatNG's ability to analyze the "Human Capital Management" (HCM) section within 10-K filings (if present) offers insights beyond just employee headcount. Here's how it can benefit organizations in security and risk management:

1. Identifying Potential Workforce Risks:

  • High Turnover and Security Concerns: ThreatNG can analyze a potential vendor's 10-K filing to understand workforce composition and turnover rates within the HCM section. High turnover, especially in critical security positions, could indicate knowledge gaps or training deficiencies, potentially increasing the risk of security incidents.

  • Skills Gaps and Phishing Susceptibility: Based on the HCM section, ThreatNG can help identify potential skills gaps within a vendor's workforce. Cyber awareness training could make the vendor's employees more susceptible to phishing attacks, indirectly impacting your security posture.

2. Improved Third-Party Risk Management (TPRM):

  • Evaluating Vendor's Investment in People: ThreatNG can reveal a vendor's commitment to workforce development through details in its HCM section. Investments in training and development programs indicate a proactive approach to addressing security awareness and potential skill gaps, lowering the vendor's overall security risk profile.

  • Informing Workforce-Related Risk Assessments: ThreatNG can provide additional data points for third-party risk assessments. By understanding a vendor's workforce composition, turnover rates, and investment in training, you can make more informed decisions about partnerships.

3. Stronger Supply Chain Risk Management:

  • Mapping Workforce Risks Across the Chain: ThreatNG can analyze HCM sections within multiple vendors' 10-K filings across your supply chain. This allows you to identify patterns of high turnover, skills gaps, or lack of investment in training programs, potentially highlighting areas of increased workforce-related risk within your ecosystem.

  • Prioritizing Remediation Efforts: By understanding various suppliers' workforce composition and development strategies through their HCM sections, ThreatNG can help prioritize which vendors require the most urgent attention regarding workforce-related security risks.

4. Integration with Security, GRC, and Risk Management Solutions:

ThreatNG's 10-K filing insights can be combined with those from other solutions to produce a more thorough risk profile. Here are a few instances:

  • Security Awareness Training Platforms: ThreatNG can identify potential skill gaps or lack of training investment within a vendor's workforce based on the HCM section. This information can be used to target specific security awareness training modules for the vendor's employees.

  • Security Ratings Platforms: ThreatNG can feed information about a vendor's workforce risks, such as high turnover or lack of training, into security rating platforms. It provides a more holistic assessment of their security posture.

  • Governance, Risk, and Compliance (GRC) Platform: ThreatNG can enrich the risk context within your GRC platform by incorporating information about workforce risks from HCM sections in 10-K filings. It allows for a more effective risk management strategy considering internal and external workforce-related vulnerabilities.

Example: A Financial Services Company and its Cloud Service Provider (CSP)

  • A financial services company uses ThreatNG to analyze the 10-K filing of its primary cloud service provider (CSP).

  • ThreatNG identifies that the CSP's HCM section reveals a high turnover rate within its security engineering team. Additionally, the filing mentions limited investment in cybersecurity training programs for new hires.

  • This information is integrated with the company's GRC and security ratings platforms to evaluate the CSP.

  • The GRC platform flags workforce-related risks as a potential vulnerability. The security ratings platform incorporates the high turnover rate and lack of training details into its overall risk assessment of the CSP.

  • The financial services company can discuss these concerns with the CSP and seek assurances about their plans to address workforce stability and invest in cybersecurity training for their employees.

ThreatNG empowers organizations to better understand potential workforce-related risks within their vendor ecosystem by analyzing human capital management practices alongside traditional security measures. It allows for building a more resilient security posture across the supply chain.