Cybersecurity Breach Disclosure is Surging
On April 12, Audit Analytics (AA) released Trends in Cybersecurity Breaches (available here for download), AA’s annual report on public company cyber breach disclosures. The analysis covers the years 2011 through 2021. AA finds that, in 2021, 169 public companies disclosed 188 cybersecurity breaches, a new yearly high and a significant increase from the 131 breach disclosures in 2020. AA’s blog post discussing the report states: “This increase is expected, given the current nature of conducting business and inherent digital risk. During the COVID-19 pandemic, businesses shifted their operations to be as ‘online’ as possible. As businesses increase reliance on digital solutions, such as remote working and e-commerce, the virtual door to cyber-security risks opens.”
Some highlights of the report include:
Forty-one percent of 2021 cyberbreach disclosures involved unauthorized access (i.e., an unauthorized party gaining access to protected systems and disclosures). Twenty-four percent of 2021 disclosures reported ransomware (malware designed to hold systems hostage in exchange for demands being met).
Less than half -- 43 percent – of public company cybersecurity breaches reported in 2021 were discussed in an SEC filing. Within SEC filings, the most popular disclosure location was the risk factors section of a periodic report. Eighteen percent of breaches were reported in a current report on Form 8-K or 6-K.
The gap between the occurrence of a breach and its disclosure is increasing. In 2021, breaches were disclosed, on average, 79.8 days after they occurred. In 2020, the average was 60.6 days.
Currently, public companies must disclose breaches in their SEC filings if the breach is material, but the content and timing of these disclosures varies widely. See EY Reports on the State of Cybersecurity Risk Disclosure, September-October 2021 Update). In March, the SEC proposed rules that would standardize public company disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting. See SEC Proposes Cyber Risk Management and Attack Disclosure Requirements, March 2022 Update. Among other things, the proposed rules, which would apply to all SEC reporting companies, would require disclosure of specific information about material cybersecurity incidents within four business days after a company determines that it has experienced an incident. Updated disclosure relating to previously disclosed cybersecurity incidents would be required in subsequent quarterly and annual filings.