These days, with our government warning regularly about the likelihood of breaches in cybersecurity, concerns about cyber threats have only multiplied. Introducing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo post), SEC Corp Fin Director Renee Jones said that, in today’s digitally connected world, cyber threats and incidents pose an ongoing and escalating threat to public companies and their shareholders. In light of the pandemic-driven trend to work from home and, even more seriously, the potential impact of horrific global events, cybersecurity risk is affecting just about all reporting companies, she continued. While threats have increased in number and complexity, Jones said, currently, company disclosure about cybersecurity is not always decision-useful and is often inconsistent, not timely and sometimes hard for investors to locate. What’s more, some material incidents may not be reported at all. Audit Analytics has just posted a new report regarding trends in cybersecurity incident disclosures. The report indicates that, in 2021, there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the most breaches disclosed in a single year since 2011. And, since 2011, the number of cybersecurity incidents disclosed annually has increased nearly 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, the report said.
As you probably know, currently, the SEC has not mandated prescriptive disclosure requirements about cybersecurity for public companies. In 2018, the SEC adopted guidance on cybersecurity disclosure that addressed disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The guidance built on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding, in particular, new discussions of policies and insider trading. (See this PubCo post.) While there were improvements in disclosure following release of the guidance, concerns remained that company responses to the guidance were inconsistent, not comparable and not decision-useful—hence, the new SEC proposal.
According to Audit Analytics, digital data is relied on just about everywhere, but this data is “vulnerable. Companies must install information security systems and monitor cybersecurity controls to protect their organizations from breaches or attacks. Adding to these concerns, cybersecurity threats are becoming increasingly advanced.” For the report, Audit Analytics looked at cybersecurity breaches publicly disclosed by SEC registrants during the period from 2011 to 2021. Sources included SEC filings, state documents and press reports.
Notably, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, including either the first disclosure of the incident or any further details subsequently provided by the company. That means 57% were not disclosed in SEC filings. Where were the rest disclosed? According to the report, in press coverage and notifications from state attorneys general.
In SEC filings, disclosure appeared most often in the Risk Factors sections of periodic reports (33% of breaches), while 18% were disclosed in Forms 8-K or 6-K, 12% in footnotes to the financials, 11% in MD&A and 3% elsewhere.
Only 4% discussed the cybersecurity breach in the context of a company’s controls. However, as Audit Analytics observes, cybersecurity incidents can involve internal controls, pointing to a 2018 investigative report from the SEC, which advised that companies consider the potential impact of cyber threats when implementing internal accounting controls. In addition, the report indicates, SOX 302 requires companies to disclose all changes that could materially affect internal control over financial reporting (ICFR), which could include “remediation of ICFR deficiencies related to cybersecurity and any changes that were made to improve [ICFR] following a breach. If controls are insufficient to prevent a cybersecurity attack, material changes made to remediate the deficiency would be a required disclosure.”
What did the disclosures cover? Most often, Audit Analytics reports, the disclosures described the type of breach or attack, such as malware, ransomware, phishing, unauthorized access and misconfiguration (that is, “exploitation of incorrectly assembled safeguards and web applications”). In 2021, about 87% of disclosures specified the type of attack, compared to only 25% in 2011. About 41% of total disclosed attacks in 2021 were categorized as unauthorized access (78 breaches disclosed in 2021 compared to just 39 in 2020), with ransomware accounting for about 24% (46 breaches in 2021 compared to 34 in 2020 and eight in 2019).
Disclosures also often addressed the nature of the information compromised and whose information was affected. In 2021, Audit Analytics reports, about 78% of disclosures specified the type of information compromised, about the same as the low point in 2020. Interestingly, in 2011, 2012, 2014 and 2016, all of the disclosures specified the type of information compromised, and the other years—except for the two most recent—were close. In 2021, the most common type of information compromised was personal information, such as names and social security numbers (about 45%), followed by financial information (22%). About 22% of disclosed breaches did not disclose the type of information compromised, which might reflect an increase in 2021 in ransomware attacks, which do not necessarily result in a compromise of information.
Only some of the disclosures provided information about when the breach occurred and when it was discovered. In 2021, the date of discovery of the breach was disclosed by just over 56% of companies reporting incidents. The high point (62%) was reached in 2018; before that, the date of discovery was disclosed by under 50% of companies, falling to a low point of about 13% in 2012.
The timespan between occurrence and discovery is sometimes referred to as the “discovery window”; long discovery windows may point to control issues. In 2021, the discovery window was 42 days on average, with a median of 17 days, compared to an average in 2020 of 54 days with a median of about 15 days. In 2018 and 2019, the averages were substantially longer (122 days and 144 days, respectively), probably reflecting the impact of outliers with windows exceeding four years in both cases. What about the disclosure window, the time between discovery and disclosure of the incident? In 2021, the disclosure window averaged 79 days with a median of 56 days, the longest average and median disclosure windows in the last five years. That compares to an average of 61 days and median of about 31 days in 2020. The longest disclosure window in 2021 was about eight months, Audit Analytics reported.
According to the report, not many companies included disclosure about costs incurred by the company associated with the incident, such as costs of investigation and remediation, costs related to engagement of cybersecurity experts and, potentially, litigation costs, as well as economic and reputational costs. In 2021, only 16 companies (about 8%) disclosed specific costs. The high point was reached in 2014, when 26% of companies disclosed costs. That may be explained in part because “exact costs may not be readily available after a breach and subsequent filings can add more details after a thorough assessment. Therefore, the downward trend in the percent of breaches that disclose costs can partially be attributed to less information about newer incidents.” Over the entire period, by far the highest disclosed costs related to unauthorized access—a total of $7.4 billion since 2011. The report indicates that four of the ten costliest breaches since 2011 resulted from unauthorized access, including two that cost each company well over $1 billion.