These days, with our government regularly warning of the likelihood of cyber security breaches, concerns about cyber threats have only multiplied. Filing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo publication), Renee Jones, chief financial officer of SEC Corp, said that in today’s digitally connected world, cyber threats and incidents represent a continuing and growing threat to public companies and their shareholders. In light of the pandemic-driven trend of working from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting almost every reporting business, she continued. While threats have increased in number and complexity, Jones said, today, company cybersecurity disclosure is not always helpful in making decisions and is often inconsistent, not timely, and sometimes difficult. to locate for investors. Additionally, some material incidents may not be reported at all. Audit Analytics has just published a new report on trends in the disclosure of cybersecurity incidents. The report indicates that, in 2021, there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the most breaches disclosed in a single year since 2011. And, since 2011, the number of cybersecurity incidents reported annually has increased by almost 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, according to the report.
As you probably know, the SEC currently has no prescriptive cybersecurity disclosure requirements for public companies. In 2018, the SEC adopted Guide on cybersecurity disclosure that addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading and Reg FD prohibitions, and disclosure prohibitions selective in the context of cyber security. The Corp Fin’s Based Guide 2011 guide on this topic (watch this cooley news roundup), adding, in particular, new policy debates and insider trading. (Watch this PubCo publication.) While there were improvements in disclosure after the guidance was published, concerns remained that the company’s responses to the guidance were inconsistent, not comparable, and not useful for decision-making, hence the new proposal for the SEC.
According to Audit Analytics, digital data is trusted almost everywhere, but this data is “vulnerable.” Companies must install information security systems and monitor cybersecurity controls to protect their organizations from breaches or attacks. In addition to these concerns, cybersecurity threats are becoming more advanced.” For the report, Audit Analytics analyzed publicly disclosed cybersecurity breaches by SEC registrants during the period from 2011 to 2021. Sources included SEC filings, state documents, and press reports.
Notably, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, including the first disclosure of the incident or any other details subsequently provided by the company. That means 57% were not disclosed in SEC filings. Where were the rest disclosed? According to the report, in press coverage and notifications from the state attorneys general.
In SEC filings, the disclosure most often appeared in the Risk Factors sections of periodic reports (33% of violations), while 18% were disclosed on Form 8-K or 6-K, 12% in financial footnotes, 11% in MD&A, and 3% elsewhere.
Only 4% discussed the cybersecurity breach in the context of a company’s controls. However, as Audit Analytics notes, cybersecurity incidents can involve internal controls, pointing to a 2018 investigative report from the SEC, which advised that companies consider the potential impact of cyber threats when implementing internal accounting controls. In addition, the report states, SOX 302 requires companies to disclose all changes that could materially affect internal control over financial reporting (ICFR), which could include “remediation of ICFR deficiencies related to cybersecurity and any changes that have been made to improve [ICFR] after an infraction. If controls are insufficient to prevent a cybersecurity attack, material changes made to remedy the deficiency would be a mandatory disclosure.”
What did the revelations cover? In most cases, Audit Analytics reports describe the type of breach or attack, such as malware, ransomware, phishing, unauthorized access, and misconfiguration (i.e., “exploiting protections and improperly assembled web applications”). In 2021, about 87% of disclosures specified the type of attack, compared to just 25% in 2011. About 41% of all attacks disclosed in 2021 were categorized as unauthorized access (78 breaches disclosed in 2021 in compared to just 39 in 2020), with ransomware accounting for around 24% (46 breaches in 2021 compared to 34 in 2020 and eight in 2019).
The disclosures also often addressed the nature of the information compromised and whose information was affected. In 2021, Audit Analytics reports, about 78% of disclosures specified the type of information compromised, almost the same low point in 2020. Interestingly, in 2011, 2012, 2014, and 2016, all disclosures specified the type of information compromised. , and the other years, except the two most recent, were close. In 2021, the most common type of information compromised was personal information such as names and social security numbers (about 45%), followed by financial information (22%). Around 22% of disclosed breaches did not disclose the type of data compromised, which could reflect a 2021 increase in ransomware attacks, which do not necessarily result in data compromise.
Only some of the disclosures provided information about when the breach occurred and when it was discovered. In 2021, the date of breach discovery was disclosed by just over 56% of companies reporting incidents. The highest point (62%) was reached in 2018; before that, the discovery date was disclosed by less than 50% of companies, falling to a low point of around 13% in 2012.
The length of time between occurrence and discovery is sometimes called the “discovery window”; long discovery windows can indicate control problems. In 2021, the discovery window was 42 days on average, with a median of 17 days, compared to an average in 2020 of 54 days with a median of about 15 days. In 2018 and 2019, the averages were substantially longer (122 days and 144 days, respectively), likely reflecting the impact of outliers with windows longer than four years in both cases. What about the disclosure window, the time between discovery and disclosure of the incident? In 2021, the disclosure window averaged 79 days with a median of 56 days, the longest average and median disclosure windows in the last five years. That compares with an average of 61 days and a median of about 31 days in 2020. The longest disclosure window in 2021 was about eight months, Audit Analytics reported.
According to the report, not many companies included disclosure of company-incurred costs associated with the incident, such as investigation and remediation costs, costs related to hiring cybersecurity experts, and potentially litigation costs, as well. such as economic and reputational costs. . In 2021, only 16 companies (about 8%) disclosed specific costs. The highest point was reached in 2014, when 26% of companies disclosed costs. That may be explained in part because “exact costs may not be readily available after a breach and subsequent submissions may add more detail after a thorough evaluation. Therefore, the downward trend in the percentage of breaches disclosing costs may be partially attributed to less information on newer incidents.” Over the entire period, the highest disclosed costs were related to unauthorized access: a total of $7.4 billion since 2011. The report indicates that four of the ten costliest breaches since 2011 were due to unauthorized access, including two that they cost each company more than $1 billion.