Only a small minority of S&P 500 companies have disclosed any cybersecurity incidents in their last three annual reports, according to recent data.
A report from Deloitte, compiled with assistance from the University of Southern California, analyzed the cybersecurity disclosures of S&P 500 companies that have filed three annual reports between Nov. 9, 2020 — when new SEC risk disclosure rules went into effect — and May 10, 2023. It noted that the data comes from before the SEC approved new disclosure rules that will require companies to report a material cybersecurity incident just four days after making the determination (
The report's data showed that, during this time period, 50% of these companies said absolutely nothing about any cybersecurity incidents. Meanwhile, 40% of these companies explicitly said that they had not experienced a material cybersecurity incident; of these companies, two disclosed they had not experienced one since the date of a previous material cybersecurity incident.
Only about 10% of companies — 47 of the 440 companies in the review — disclosed they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident. Only four of these companies stated explicitly that the incident was "material," accounting for 0.9091% of the total sample. Four noted the incident was "significant." Thirteen companies stated the incident was not material, another noted the incident was not significant, and another called it "relatively modest." The rest of the companies — just over half — discussed neither the materiality nor significance of the incident.
This statistic might seem puzzling, considering the vast array of data indicating a growing amount of cyber risk. Global cybersecurity attacks have been estimated to have
This might, in turn, explain recent data from VPN provider
"Quarterly fluctuations in data breaches are the result of a complex interplay of various internal and external factors," said an emailed statement from the company. "Software vulnerabilities, regulatory changes, variations in incident reporting policies, changes in cybersecurity investments, and the influence of technological trends and economic conditions, all can contribute to these fluctuations in data breach statistics from one quarter to the next, so there is no straightforward answer as to why data breaches have decreased in the last three months. This dynamic landscape underscores the importance of organizations maintaining a vigilant and adaptive approach to cybersecurity to effectively manage the risks associated with data breaches."