2022 seems to be on target for the lowest year of reported breaches by large US corporations

‍The number of data breaches reported in the first 6 months of 2022 has put this year on track to be the lowest year of reports in the last 5 years for large [Revenue >2bn] US corporations. By looking at the rate at which data breach events have been reported so far this year, we predict that the number of events reported is expected to be

15-20% of the number of breaches reported in 2021

‍

Possible causes:

• Increased reporting delays: But the time to report has shown a decreasing trend over the last 4 years
• Genuine improvement in cyber defenses preventing data exfiltration 
• Reduction in reporting requirements, or public disclosure prevention

In this analysis we look at all the reported cyber events which involve data exfiltration (data breach), allocated to the year in which the event started. Comparing the number of events reported at each point during the year then gives us an indication for the rate which can be compared between years.

The data and population

• The data collected represents public reports of data breaches from US companies with an annual revenue above $2bn (Excluding public services).
• The data used includes breach events reported up to end of Q2 2022

It is this area where the cyber reporting requirements are highest, there is a high level of data available. It is important to note that this will not be all events which occur, only those disclosed, but by looking for changes in the behavior we can look at the potential causes.

Overall Breach Count

As of the end of Q2 2022, we have seen 18 breach reports of events occurring in 2022 compared to the 160 cyber events reported from 2021, and 292 from 2020. While we are only 50% through 2022, the number of events reported so far from the first half is 25% of the 2021 total reported at the same point through 2021. 

To fully compare 2022 against prior years we need to take into account a number of factors:

• Events not yet reported: some events have occurred but have not yet been reported either because they have not yet been discovered, or because the have been discovered but not publicly disclosed
• Events not yet occurred: events which have yet to occur, in the second half of 2022 (and have not yet been reported)

‍

‍

‍

How the year unfolds

To explore how 2022 is emerging, we can look at the rate at which events are being reported. That is to show not just the total report to date, but how the total number of events reported in a year has emerged from the start of the year. To do this we plot the cumulative number of events reported vs the number of days from the start of each incident year.

What we see is an indication of how many incidents have been reported from each year have been reported after the same number of days. A steep curve indicates a greater number of incidents reported per month.

** Note that the event counts are lower because we do not have exact disclosure dates for all events.

‍

‍

From the chart we can see that the number of reported cyber incidents after 6 months (180 days) of experience is low for 2022 compared with all other years since 2015. This leads us to believe that 2022 is on track to have a very low number of overall incidents reported.

There could be a few explanations for this

• Reporting Delay: The time taken to report incidents has increased in 2022, and there will be a correction in the later part of the year
• Cybersecurity Investment: The overall number of incidents reported will be lower due to improvements in security posture
• Regulatory Action: the overall number of incidents reported will be lower due to changes in how the events are reported (or required to be reported)

‍

Reporting Delay

To consider if the low reported number of events in 2022 is being driven by an increase in a delay between a cyber event starting and it being reported, we have looked at the trend over the last 10 years

The chart below shows the trend over the last 10 years.

‍

‍

‍

There has been a steady reduction in median reporting delay from 204 days in 2017 to 63 days in 2021. It is possible that events with long reporting delays have not yet been included in the 2021 year, so if we consider 2020, the median is 81 days which is still a significant overall decrease since 2017.

Overall, we see that the trend for reporting delays is that of shortening rather than lengthening. In the absence of a big disruptive event which impacts the time to detect/report a breach, the delay should be at least comparable to 2019-2021

‍

Cybersecurity Investment

According to PwC’s 2022 Global Digital Trust Insights Survey 69% of organizations predict a rise in cyber spending in 2022 compared to 55% last year. More than a quarter (26%) predict cyber spending increase of 10% or more; only 8% said that in 2021. Increased cyber spending can be a sign of better control implementation, therefore, decreasing the overall risk  of data breaches. Additionally, if we look at the segments of spend with the highest increased growth, they are segments particularly important for protecting against data breaches; including a 41% growth in cloud security, 17.5% in data security, and 15.6% in identity access management. 

‍

‍

‍

Regulatory Action - What to Expect in 2022

Another driver for the decreases in reporting of cyber breaches can be due to changes in regulation or enacted proposals.  

The latest changes in reporting requirements for data breaches in the US in 2021 and 2022 indicate a trend for increased reporting rather than a reduction: 

• Federal regulators such as the FTC, the US Department of Health and Human Services, the Securities and Exchange Commission, and a growing set of other agencies issued guidance on cybersecurity best practices and took actions against organizations not adhering to privacy and cybersecurity recommendations.
• The Department of Justice (DOJ) launched a Civil Cyber Fraud Initiative which enforced data privacy compliance. Additionally, for GDPR, CCPA there were various additional compliance dates under new or updated state laws and regulations that went into effect or will go into effect shortly. 
• There was also a new set of proposed regulations from The Securities and Exchange Commission to require publicly traded companies in the U.S. to analyze how cyber risk could affect financial statements.
• The Federal Trade Commission (FTC) also issued a proposal to require financial institutions to report security incidents to the Commission electronically through the FTC’s website. The proposal required financial institutions to notify the FTC of security events where misuse of customer information has occurred or is reasonably likely to occur and where at least 1,000 consumers have been or may reasonably be affected by the incident
• The Department of Homeland Security through the Transportation Security Authority (TSA) also announced two cybersecurity directives for critical pipeline owners and operators in the wake of the Colonial Pipeline cyber attack. 

‍

We currently live in a cyber risk landscape in which there is growth in awareness around cyber risk and risk management practices, yet we must still take into account that there is a trend of increasing sophistication of cyber attacks. 

‍

So far in 2022, we have observed much lower numbers of data breaches reported in large US corporations, which we feel is cause for optimism that maturing risk programmes are having a positive effect. 

As the year comes to a close, it will be interesting to see how the disclosure of breaches continues to evolve and if this trend continues.