After being discovered, cybersecurity breaches are not consistently disclosed promptly, found an Audit Analytics study of public companies released on Friday. On average, publicly held companies took 53 days to disclose a breach incident after discovering it. The 53-day average disclosure timeframe is less than the 10-year average of 67 days, but it is the third-highest average in the last five years.
Companies took 37 days to disclose a breach at the median, the longest period recorded since 2016.
The increase in the median time to disclose a breach, according to Audit Analytics, could be a sign companies are prioritizing complete notification over quick notification. As evidence, the research firm points to the percentage of companies that disclosed the type of cyberattack they experienced, which rose to 90% in 2020 from 60% in the 2011-2019 period.
Requirements for breach disclosures vary widely from state to state; many states require breaches to be disclosed “without unreasonable delay,” but there is no standard regulatory requirement, says Audit Analytics.
How, when, and what businesses must disclose following a cyber breach depends on the company’s location, industry, and regulatory agency overseeing the entity.
The SEC disclosure requirements under Regulation S-K and Regulation S-X do not specifically refer to cybersecurity events. However, the requirements impose an obligation to disclose certain types of risks and incidents that could have a material impact.
“Failure to timely disclose a cyber breach after discovery could have serious repercussions, including SEC fines and negative market reaction from investors, especially if the breach is disclosed by a third party and not the affected party itself,” Audit Analytics notes in its report. For victims of data breaches lags in disclosure time prevent them from setting up defensive measures like identity theft protection and credit monitoring.
The number of cyber breaches disclosed actually fell nearly 20% in 2020, t0 117.
But Audit Analytics suggests that tally “may not reflect a broader decline or leveling off” from the annual increases since 2015. As companies switched to remote work, monitoring processes and controls may not have operated as effectively to identify a breach in 2020 quickly.
“Adding to this, cybersecurity threats are becoming increasingly advanced, and breaches may have occurred that are as of yet undiscovered,” Audit Analytics said in its report. “It would not be surprising to learn of additional attacks that occurred throughout 2020 that remain undisclosed until 2021 or beyond.”
Other notable findings in the Audit Analytics report:
- The median number of days to discover a cyber breach was just 16 in 2020, and the average was 44. Last year had the fastest discovery window in the last five years, “suggesting that firms’ cybersecurity controls are becoming better equipped to discover breaches.”
- In 2020, only 10% of breach disclosures did not specify the type of breach, down from 16% and 29% in 2019 and 2018, respectively. “This could be a sign that more entities are choosing to disclose more detailed information or could reflect that information technology security systems are becoming better at detecting and identifying nuanced cyber threats,” Audit Analytics said.
- In 2020, cybersecurity breaches involving malware and unauthorized access accounted for 70% of total breaches that specified the kind of attack. In 2019, only 19% of disclosed attacks involved malware, and 35% involved unauthorized access.
- In 2020, the most common kind of information compromised in a data breach was personal information. Names comprised 53% of breaches, addresses comprised 29% of breaches, and Social Security Numbers comprised 28% of breaches.
- Since 2011, the corporate breaches studied by Audit Analytics have cost companies $40.8 million on average. The costliest attacks occur in the technology sector, involve unauthorized access, or compromise Social Security Numbers.
Graphic: Audit Analytics