Report
July 28, 2022
The number of data breaches reported in the first 6 months of 2022 has put this year on track to be the lowest year of reports in the last 5 years for large [Revenue >2bn] US corporations. By looking at the rate at which data breach events have been reported so far this year, we predict that the number of events reported is expected to be
15-20% of the number of breaches reported in 2021
Possible causes:
In this analysis we look at all the reported cyber events which involve data exfiltration (data breach), allocated to the year in which the event started. Comparing the number of events reported at each point during the year then gives us an indication for the rate which can be compared between years.
It is this area where the cyber reporting requirements are highest, there is a high level of data available. It is important to note that this will not be all events which occur, only those disclosed, but by looking for changes in the behavior we can look at the potential causes.
As of the end of Q2 2022, we have seen 18 breach reports of events occurring in 2022 compared to the 160 cyber events reported from 2021, and 292 from 2020. While we are only 50% through 2022, the number of events reported so far from the first half is 25% of the 2021 total reported at the same point through 2021.
To fully compare 2022 against prior years we need to take into account a number of factors:
To explore how 2022 is emerging, we can look at the rate at which events are being reported. That is to show not just the total report to date, but how the total number of events reported in a year has emerged from the start of the year. To do this we plot the cumulative number of events reported vs the number of days from the start of each incident year.
What we see is an indication of how many incidents have been reported from each year have been reported after the same number of days. A steep curve indicates a greater number of incidents reported per month.
** Note that the event counts are lower because we do not have exact disclosure dates for all events.
From the chart we can see that the number of reported cyber incidents after 6 months (180 days) of experience is low for 2022 compared with all other years since 2015. This leads us to believe that 2022 is on track to have a very low number of overall incidents reported.
There could be a few explanations for this
To consider if the low reported number of events in 2022 is being driven by an increase in a delay between a cyber event starting and it being reported, we have looked at the trend over the last 10 years
The chart below shows the trend over the last 10 years.
There has been a steady reduction in median reporting delay from 204 days in 2017 to 63 days in 2021. It is possible that events with long reporting delays have not yet been included in the 2021 year, so if we consider 2020, the median is 81 days which is still a significant overall decrease since 2017.
Overall, we see that the trend for reporting delays is that of shortening rather than lengthening. In the absence of a big disruptive event which impacts the time to detect/report a breach, the delay should be at least comparable to 2019-2021
According to PwC’s 2022 Global Digital Trust Insights Survey 69% of organizations predict a rise in cyber spending in 2022 compared to 55% last year. More than a quarter (26%) predict cyber spending increase of 10% or more; only 8% said that in 2021. Increased cyber spending can be a sign of better control implementation, therefore, decreasing the overall risk of data breaches. Additionally, if we look at the segments of spend with the highest increased growth, they are segments particularly important for protecting against data breaches; including a 41% growth in cloud security, 17.5% in data security, and 15.6% in identity access management.
Another driver for the decreases in reporting of cyber breaches can be due to changes in regulation or enacted proposals.
The latest changes in reporting requirements for data breaches in the US in 2021 and 2022 indicate a trend for increased reporting rather than a reduction:
We currently live in a cyber risk landscape in which there is growth in awareness around cyber risk and risk management practices, yet we must still take into account that there is a trend of increasing sophistication of cyber attacks.
So far in 2022, we have observed much lower numbers of data breaches reported in large US corporations, which we feel is cause for optimism that maturing risk programmes are having a positive effect.
As the year comes to a close, it will be interesting to see how the disclosure of breaches continues to evolve and if this trend continues.