Audit Analytics released its third annual Trends in Cybersecurity Breaches report last week. This report delves into trends in public company disclosures of cyber breaches since 2011. The analysis, covering 2011 through 2020, examines a full decade worth of data.
Other than a small decrease in 2015, the most notable trend has been the proliferation of cybersecurity breaches; though 2020 saw a reversal of this trend, falling by nearly 20% from 2019. Despite the decrease, cyber breaches remain a persistent threat, with 2020 having the third most cyber breach disclosures on record.
The decrease in the number of breaches in 2020, while notable, may not reflect a broader decline or leveling off. There is the possibility that monitoring processes and controls did not operate as effectively to quickly identify a breach during 2020, as many companies switched to remote work. It will be important to monitor the 2021 disclosures to see if 2020 was unusual because of the COVID-19 pandemic, or if it is a sign of a larger trend.
Other trends, such as timelier discoveries of cyber breaches and slightly longer times to disclose these breaches, have continued. The median number of days to discover a cyber breach was just 16 days in 2020, while the median number of days to disclose a breach was 37 days.
The median number of days to discover a breach was the lowest since 2017. The decreasing number of days to discover a breach may be a sign that companies are implementing better controls to monitor for cyber incidents, which enables more timely discovery.
The median number of days to disclose the breach was at its highest since at least 2016. The increase in the median time to disclose a breach could be a sign companies are prioritizing complete notification over quick notification. This can be seen in the percentage of companies that disclose a type of attack, which grew to 90% in 2020 from less than 60% between 2011 and 2019.
The disclosure improvements may also be attributable to disclosure guidance. The SEC’s 2018 guidance, which emphasized disclosure expectations, highlighted seven disclosure considerations in periodic reports: business operations, risk factors, legal proceedings, management’s discussion & analysis (MD&A), financial statements and disclosures, controls, and corporate governance. Overall, nearly 30% of public companies with a cyber breach between 2011 and 2020 disclosed the breach in an SEC filing. The most common disclosures were in the risk factors section.
Interested in our content? Be sure to subscribe to receive our email notifications.