Audit Analytics Reports on Cybersecurity Disclosure | Cooley LLP
Today, with our government regularly warning about the likelihood of cybersecurity breaches, concerns about cyber threats have only grown. Introducing the SEC’s new proposal for cybersecurity disclosure in March (see this PubCo article), SEC Corp Chief Financial Officer Renee Jones said that in today’s digitally connected world, cyber threats and incidents pose a continuing and growing threat to public companies and their shareholders. In light of the pandemic trend of working from home and, more seriously, the potential impact of horrific global events, cybersecurity risk affects just about every reporting company, she continued. While threats have grown in number and complexity, Jones said, today’s corporate cybersecurity disclosure isn’t always actionable and is often inconsistent, not timely and sometimes difficult for investors to track down. . Additionally, some hardware incidents may not be reported at all. Audit Analytics has just released a new report on cybersecurity incident disclosure trends. The report states that in 2021 there was a 44% increase in the number of breaches disclosed, from 131 in 2020 to 188 in 2021, the highest number of breaches disclosed in a single year since 2011. And, since 2011 , the number of cybersecurity incidents disclosed each year has increased by almost 600%. Interestingly, however, in 2021, only 43% of cybersecurity incidents were disclosed in SEC filings, according to the report.
As you probably know, currently the SEC does not impose prescriptive cybersecurity disclosure requirements for public companies. In 2018, the SEC adopted Cybersecurity Disclosure Guidelines which address disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity. The tips built on Corp Fin’s 2011 advice on this topic (see this Cooley News Brief), adding, in particular, new policy and insider trading discussions. (See this PubCo article.) While there were improvements in disclosure after the guidelines were released, concerns remained that company responses to the guidelines were inconsistent, not comparable, and not decision-useful. – hence the new SEC proposal.
According to Audit Analytics, digital data is used everywhere, but this data is “vulnerable”. Businesses must install information security systems and monitor cybersecurity controls to protect their organizations from breaches or attacks. In addition to these concerns, cybersecurity threats are increasingly advanced. For the report, Audit Analytics reviewed publicly disclosed cybersecurity breaches by SEC registrants during the period from 2011 to 2021. Sources included SEC filings, state filings and press articles.
Notably, in 2021, only 43% of cybersecurity incidents were disclosed in documents filed with the SEC, including either the first disclosure of the incident or any other details subsequently provided by the company. This means that 57% were do not disclosed in documents filed with the SEC. Where was the rest leaked? According to the report, in media coverage and notifications from state attorneys general.
In SEC filings, disclosure most often appeared in the Risk Factors sections of periodic reports (33% of violations), while 18% were disclosed in Forms 8-K or 6-K, 12% in the footnotes to the financial statements, 11% in the management report. and 3% elsewhere.
Only 4% mentioned the cybersecurity breach in the context of a company’s controls. However, as Audit Analytics observes, cybersecurity incidents can involve internal controls, pointing to a 2018 SEC investigative report, which advised companies to consider the potential impact of cyber threats when implementing implementation of internal accounting controls. In addition, the report states that SOX 302 requires companies to disclose all changes that may materially affect internal control over financial reporting (ICFR), which could include “addressing deficiencies in ICFR related to cybersecurity and any changes made to improve [ICFR] following a violation. If the controls are insufficient to prevent a cybersecurity attack, the material changes made to address the shortcoming would be mandatory disclosure.
What did the disclosures cover? Most often, according to Audit Analytics, disclosures described the type of breach or attack, such as malware, ransomware, phishing, unauthorized access, and misconfiguration (i.e. “the ‘exploiting backups and poorly assembled web applications’). In 2021, approximately 87% of disclosures specified the type of attack, compared to only 25% in 2011. Approximately 41% of total attacks disclosed in 2021 were classified as unauthorized access (78 breaches disclosed in 2021 compared to only 39 in 2020) , with ransomware accounting for around 24% (46 breaches in 2021 versus 34 in 2020 and eight in 2019).
Disclosures also often focused on what information was compromised and what information was affected. In 2021, according to Audit Analytics reports, approximately 78% of disclosures specified the type of information compromised, about the same as the 2020 low point. Interestingly, in 2011, 2012, 2014 and 2016, disclosures specified the type of information compromised. , and the other years, with the exception of the two most recent, were close. In 2021, the most common type of information compromised was personal information, such as names and social security numbers (about 45%), followed by financial information (22%). About 22% of disclosed breaches did not reveal the type of information compromised, which may reflect an increase in 2021 in ransomware attacks, which do not necessarily result in information being compromised.
Only some of the disclosures provided information about when the breach happened and when it was discovered. In 2021, the date of discovery of the flaw was disclosed by just over 56% of companies reporting incidents. The high point (62%) was reached in 2018; prior to that, date of discovery was disclosed by less than 50% of companies, falling to a low of around 13% in 2012.
The time between occurrence and discovery is sometimes called the “discovery window”; long discovery windows may indicate control issues. In 2021, the discovery window was 42 days on average, with a median of 17 days, compared to an average in 2020 of 54 days with a median of around 15 days. In 2018 and 2019, the averages were significantly longer (122 days and 144 days, respectively), likely reflecting the impact of outliers with windows longer than four years in both cases. What about the disclosure window, the time between discovery and disclosure of the incident? In 2021, the disclosure window averaged 79 days with a median of 56 days, the longest average and median disclosure windows in the last five years. That compares to an average of 61 days and a median of around 31 days in 2020. The longest disclosure window in 2021 was around eight months, Audit Analytics reported.
According to the report, few companies have disclosed costs incurred by the company associated with the incident, such as investigation and remediation costs, costs related to hiring cybersecurity experts and, potentially, litigation costs, as well as economic and reputational costs. . In 2021, only 16 companies (about 8%) disclosed specific costs. The high point was reached in 2014, when 26% of companies disclosed their costs. This may be partly because “exact costs may not be readily available after a breach and subsequent filings may add more detail after a thorough assessment.” Therefore, the downward trend in the percentage of offenses that reveal costs can in part be attributed to less information about the most recent incidents. Over the entire period, by far the highest disclosed costs were related to unauthorized access, totaling $7.4 billion since 2011. The report states that four of the ten costliest breaches since 2011 resulted from unauthorized access, two of which cost each company well over a dollar. billion.