AA study: Cybersecurity breach disclosures surge in 2021

Audit Analytics’ “Trends in Cybersecurity Breach Disclosures” report identified 188 breaches disclosed in 2021, the highest number in a single year since at least 2011. Between 2020 and 2021, cybersecurity breaches from unauthorized access were up 118 percent, and ransomware attacks were up 44 percent.

The results reflect existing Securities and Exchange Commission requirements that do not specifically mandate disclosure of cybersecurity events in SEC filings but do require disclosure of risks that could have a material effect on the company and its financial statements. The SEC proposed amended rules in March that would require increased standard cybersecurity disclosures for all public companies, including reporting material incidents no later than four business days after they occur.

Below are highlights from the Audit Analytics report.

Number of cybersecurity incidents: Since 2011, the first year of the study, the number of incidents disclosed annually has increased almost 600 percent. The record total of 188 in 2021 spanned 169 companies, according to Audit Analytics.

The number of companies impacted by cybersecurity incidents rose 51 percent from 2020, the report stated.

Types of attack: The most common cybersecurity breaches disclosed in 2021 were unauthorized access (41 percent), ransomware (24 percent), misconfiguration (9 percent), malware (6 percent), and phishing (6 percent), according to the report.

Unauthorized access has been the most common type of breach disclosed overall since 2011 (21 percent). Ransomware breach disclosures in 2021 (46) were significantly higher than 34 in 2020 and eight in 2019.

Since 2011, ransomware attacks represent 10 percent of total breaches disclosed, a number projected to continue to climb.

Types of information: The most frequent types of information compromised disclosed in 2021 were personal (45 percent), financial (22 percent), and other intellectual property and proprietary business information (11 percent). These results were consistent with the report’s findings since 2011.

The most common types of personal information affected in 2021 were names (52 percent) and Social Security numbers (34 percent). Social Security number breaches have risen every year since 2016.

Discovery and disclosure time: In 2021, it took an average of 42 days to discover a breach, down from 54 in 2020. Over the last five years, the average was 93 days, the report noted.

It took 80 days (11 weeks) on average in 2021 for companies to disclose cybersecurity breaches once they were discovered. This was the longest average in the last five years—nearly three weeks longer than in 2020 (61 days).

Incident details: In 2021, 87 percent of disclosures included the type of attack, a significant increase since 2011 (25 percent). However, 78 percent of disclosures specified the type of information compromised, a new low since 2011, the report found.

From 2011-21 overall, 91 percent of disclosures provided this information.

The date the breach was discovered was included in 56 percent of 2021 disclosures, consistent with the previous two years.

Cost information (e.g., investigation, remediation, legal fees, reputational costs) was included in only 9 percent of 2021 disclosures, slightly under the 11 percent figure overall since 2011.

Method of disclosure: Of breaches disclosed in 2021, 43 percent came via SEC filings. The other 57 percent included media and other regulatory notifications, Audit Analytics noted.

The most common disclosure locations in 2021 SEC filings were in risk factors (33 percent), Forms 8-K or 6-K (18 percent), notes to financial statements (12 percent), and management’s discussion and analysis (11 percent).

Only 4 percent disclosed company internal controls related to the cybersecurity breach, although Sarbanes-Oxley Section 302 requires disclosure of changes that indicate there could be a significant deficiency in companies’ internal controls over financial reporting and subsequent remediations made to improve internal controls.