With the U.S. Securities and Exchange Commission’s updated cybersecurity guidance hot off the press, let’s start the week by taking a look at public company cyberattack reporting statistics.
In 2017, there were 4,732 cyberattacks on American businesses, according to the Privacy Rights Clearinghouse. That figure includes private companies so it’s only a rough guidepost for the overall magnitude of last year’s breaches.
During the same time, only 24 public companies reported data breaches to the SEC, according to Audit Analytics, a research firm that tracks securities filings. Audit Analytics also found that 64 public companies suffered a data breach in 2017. That means only 37% of public companies experiencing a breach last year reported it to the SEC.
Over a longer time frame, the statistics are similar. Since 2011 – when the SEC issued its initial cybersecurity guidance for public companies – only 106 companies have reported data security incidents to the SEC. Over the same seven-year period, there were 342 hacks of public companies.
That translates into only 30 percent of public company data breaches being reported in SEC filings. This disparity might be due to numerous factors including whether the breach was deemed material by the company or a general reluctance to make such events public. More research is needed to get to a definitive answer.
And how do public companies disclose breaches? It varies.
In some cases, data breaches are disclosed in the risk factor section of a company’s annual Form 10K filing or annual report or in its discussion of internal controls. In other cases, breach disclosures are made in financial statement footnotes especially if the costs associated with the breach are expected to be material or if significant litigation or regulatory has been commenced. Breach disclosures are also made in quarterly filings or on a Form8K issued to disclose the breach.
For a more detailed explanation of the Commission’s updated cybersecurity guidance, click here to see our Client Alert. And for a more in-depth perspective on the dilemma public companies face in deciding if and when to report a cyberattack, click here to read my New York Times piece that discusses the “tension between the need for discreet cooperation with law enforcement and the obligation to information investors and the markets.”
We’ll continue to monitor this important area.