Last year, Liz wrote about how disclosure related to a cyber breach presents a tricky issue because disclosure requirements vary quite a bit for companies based on state-specific laws, industry rules, varying international laws and then, of course, SEC requirements. Audit Analytics recently issued a report analyzing cyber breach disclosure trends from 2011-2019. A chart on the first page of the report shows a dramatic increase in the number of breaches since 2011, with an increase of 54% in the last two years. In terms of disclosure detail, here’s some of what the report found:
– 43% of firms that reported a cyber breach since 2011 didn’t disclose the type of attack – meaning whether it resulted from malware, phishing, unauthorized access, etc.
– For companies disclosing a data breach, since 2011, Audit Analytics found that it took an average of 108 days before companies discovered the breach – with a maximum of 1,625 days and a median of 30 days
– But, it took companies on average another 49 days before disclosing the breach – with a maximum of 456 days and a median of 30 days
– The report mentions, as most already know, that delays in discovering data breaches may raise red flags about internal controls and disclosure delays could lead to SEC action as was the case involving Yahoo! several years ago
– Shedding light on factors that may lead to delays in discovering data breaches and longer disclosure time, the report found companies in certain industries, the type of attack and type of information all impact time to discover a breach and delays in disclosure – the blog provides specifics on these findings
-Lynn Jokela, TheCorporateCounsel.net June 11, 2020
