In our latest report, Trends in Cybersecurity Breach Disclosures, we delve into the trends and statistics of public company cybersecurity and cyber disclosure. Over the past ten years, cybersecurity has become a greater threat for public companies, as both business and commerce have become more dependent on technology. Cyber threats from social engineering schemes to sophisticated programs put customer data, financial accounts, and even proprietary information at risk to third-party access.
Since 2011, we have seen a general trend – excluding 2015 – of increased cyber breaches afflicting public companies. The growth in number of breaches has climbed from 62 in 2016 and 91 in 2017, to a high of 121 breaches in 2018.
In general, breaches have not been discovered and reported in a timely manner. It took the average company 123 days to discover a breach had occurred. Though, this number was skewed due to breaches such as the one disclosed by 1-800 Flowers, which began in 2014 and wasn’t discovered until 2018. The median breach was discovered in 35 days.
Additionally, it took, on average, another 44 days, or a median of 26 days, for public companies to report the breach. From the time of the initial breach to the disclosure of the breach, it took public companies an average of over five months and a median of two months to disclose the company’s data had been breached.
The disclosure of cyber breaches can vary widely due to several factors, including the type of information compromised, the jurisdiction of the data breach, or the materiality of the data breach. For instance, in Maine, breaches are required to be disclosed “no longer than 7 business days after a law enforcement agency determines that the notification will not compromise a criminal investigation,” while in Connecticut, breaches are required to be disclosed “not later than ninety days after the discovery of such breach.
That being said, it is no wonder that cyber breach disclosure is inconsistent. For example, half of all public company cyber breach disclosures do not identify the type of cyberattack used in the breach. The most common type of cyberattack was malware, including ransomware, which accounted for 21% of cyber breaches.
Trends in Cybersecurity Breach Disclosures provides a deeper analysis on these topics, as well as the information compromised, number of attacks per company, and industry breakdown.
Key Findings include:
- On average, companies discovered a cyber breach 123 days after its occurrence and disclosed the breach after another 44 days. The number of days it takes to uncover a breach varies based on industry, type of breach, and type of information compromised
- Only about 50% of firms that disclosed a breach provided information on the type of attack that occurred
- 70% of companies disclosed one cyber breach and about 30% disclosed multiple breaches
- For public companies, service and manufacturing sectors had the greatest number of disclosed cyberattacks
In summary, cybersecurity is a growing threat for public companies and must be monitored and addressed with adequate resources depending on the specific circumstances of each company. Processes must be implemented to not only protect against cyberattacks, but also to detect cyber breaches and communicate critical and material information.
If you would like to learn more about our cybersecurity data and exploratory research, please contact us at info@auditanalytics.com or (508) 476-7007.