Audit Analytics released its fourth annual Trends in Cybersecurity Breaches report last week. This report delves into trends in cyber breaches disclosed by public companies since 2011. The analysis, covering 2011 through 2020, examines more than a decade worth of cybersecurity incidents and risk data.
The most notable trend in cybersecurity breaches is the proliferation in the number of incidents. After a dip in 2020, 2021 saw more cybersecurity breaches than any other prior year. In total, 169 public companies disclosed 188 cybersecurity breaches during the year.
This increase is expected, given the current nature of conducting business and inherent digital risk. During the COVID-19 pandemic, businesses shifted their operations to be as ‘online’ as possible. As businesses increase reliance on digital solutions, such as remote working and e-commerce, the virtual door to cybersecurity risks opens.
Unauthorized access breaches and ransomware attacks continue to plague public companies. Together, these two types of attacks contributed to nearly two-thirds of all breaches disclosed during 2021.
SEC Cybersecurity Disclosures
As with last year’s report, this year’s report highlights the disclosure aspects of cybersecurity incidents. In particular, the incidents disclosed in SEC filings. If a cybersecurity incident is expected to be material, it must be disclosed. However, outside of this, disclosure rules currently have gray areas about when, what, and how information needs to be provided.
The disclosure requirements for cybersecurity incidents are undergoing a shift in focus to enhancing and standardizing disclosures for cybersecurity governance, strategy, and risk management. As of March 2022, the SEC is considering proposed amendments to its rules regarding the cybersecurity disclosures of public companies. These proposed rules include a host of provisions, such as:
- Current reporting about material cybersecurity incidents in an Item 1.05 of an 8-K, and periodic reporting on incident updates;
- Periodic reporting about cybersecurity policies, procedures, and risk; the oversight role of the Board of Directors in regards to cybersecurity risks; and management’s role and expertise with cybersecurity matters;
- Cybersecurity disclosures made using inline XBRL.
Of the cybersecurity breaches reported by public companies in 2021, 43% were discussed in some capacity within an SEC filing. However, there are inconsistencies with where those disclosures occurred due to differing circumstances.
Most commonly, cybersecurity breach disclosures happened in the Risk Factors section of a company’s periodic report. Often, a cybersecurity Risk Factor mentions the specific breach as an example speaking to future risk.
Outside of periodic reports, companies may also disclose cybersecurity incidents in a current report (Form 8-K or 6-K). In Form 8-K, these disclosures occurred most often under Items 7.01 (Regulation FD Disclosure) and the catchall 8.01 (Other Events). The proposed rule changes would require companies to disclose material cyber incidents in a newly established Item 1.05.
Given the differences in how companies disclose cybersecurity risk and incident information, it can be difficult to compare one company’s risk to another. Presenting information about cybersecurity risks and incidents in a consistent, comparable, and decision-useful manner would benefit both companies and investors.
Interested in our content? Be sure to subscribe to receive our email notifications.