After being discovered, cybersecurity breaches are not consistently disclosed promptly, found an Audit Analytics study of public companies released on Friday. On average, publicly held companies took 53 days to disclose a breach incident after discovering it. The 53-day average disclosure timeframe is less than the 10-year average of 67 days, but it is the third-highest average in the last five years.
Companies took 37 days to disclose a breach at the median, the longest period recorded since 2016.
The increase in the median time to disclose a breach, according to Audit Analytics, could be a sign companies are prioritizing complete notification over quick notification. As evidence, the research firm points to the percentage of companies that disclosed the type of cyberattack they experienced, which rose to 90% in 2020 from 60% in the 2011-2019 period.
Requirements for breach disclosures vary widely from state to state; many states require breaches to be disclosed “without unreasonable delay,” but there is no standard regulatory requirement, says Audit Analytics.
How, when, and what businesses must disclose following a cyber breach depends on the company’s location, industry, and regulatory agency overseeing the entity.
The SEC disclosure requirements under Regulation S-K and Regulation S-X do not specifically refer to cybersecurity events. However, the requirements impose an obligation to disclose certain types of risks and incidents that could have a material impact.
“Failure to timely disclose a cyber breach after discovery could have serious repercussions, including SEC fines and negative market reaction from investors, especially if the breach is disclosed by a third party and not the affected party itself,” Audit Analytics notes in its report. For victims of data breaches lags in disclosure time prevent them from setting up defensive measures like identity theft protection and credit monitoring.
The number of cyber breaches disclosed actually fell nearly 20% in 2020, t0 117.
But Audit Analytics suggests that tally “may not reflect a broader decline or leveling off” from the annual increases since 2015. As companies switched to remote work, monitoring processes and controls may not have operated as effectively to identify a breach in 2020 quickly.
“Adding to this, cybersecurity threats are becoming increasingly advanced, and breaches may have occurred that are as of yet undiscovered,” Audit Analytics said in its report. “It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed until 2021 or beyond.”
Other notable findings in the Audit Analytics report:
Graphic: Audit Analytics