10% of S&P 500 companies disclosed cybersecurity incidents

Only a small minority of S&P 500 companies have disclosed any cybersecurity incidents in their last three annual reports, according to recent data.

A report from Deloitte, compiled with assistance from the University of Southern California, analyzed the cybersecurity disclosures of S&P 500 companies that have filed three annual reports between Nov. 9, 2020 — when new SEC risk disclosure rules went into effect — and May 10, 2023. It noted that the data comes from before the SEC approved new disclosure rules that will require companies to report a material cybersecurity incident just four days after making the determination (see previous story), implying that the next report might have notably different results.

The report's data showed that, during this time period, 50% of these companies said absolutely nothing about any cybersecurity incidents. Meanwhile, 40% of these companies explicitly said that they had not experienced a material cybersecurity incident; of these companies, two disclosed they had not experienced one since the date of a previous material cybersecurity incident.

Only about 10% of companies — 47 of the 440 companies in the review — disclosed they experienced specific cybersecurity incidents, all identifying the date of either the incident, the discovery of the incident, or the announcement of the incident. Only four of these companies stated explicitly that the incident was "material," accounting for 0.9091% of the total sample. Four noted the incident was "significant." Thirteen companies stated the incident was not material, another noted the incident was not significant, and another called it "relatively modest." The rest of the companies — just over half — discussed neither the materiality nor significance of the incident.

This statistic might seem puzzling, considering the vast array of data indicating a growing amount of cyber risk. Global cybersecurity attacks have been estimated to have increased 38% between 2021 and 2022, according to Check Point Research. Another survey by Deloitte found 34.5% of corporate accounting leaders have reported being targeted by cyber adversaries. However, when concerning the S&P 500 specifically, cybersecurity risk management platform Upguard said that over 75% of S&P 500 companies improved their overall security ratings in 2023.

This might, in turn, explain recent data from VPN provider SurfShark which found there have been 76% fewer data breaches in Q3 compared with Q2. For a sense of scale, the third quarter saw 240 accounts breached every minute versus 1,030 the previous quarter. When asked why data breaches fell so precipitously, SurfShark said it can be complicated.

"Quarterly fluctuations in data breaches are the result of a complex interplay of various internal and external factors," said an emailed statement from the company. "Software vulnerabilities, regulatory changes, variations in incident reporting policies, changes in cybersecurity investments, and the influence of technological trends and economic conditions, all can contribute to these fluctuations in data breach statistics from one quarter to the next, so there is no straightforward answer as to why data breaches have decreased in the last three months. This dynamic landscape underscores the importance of organizations maintaining a vigilant and adaptive approach to cybersecurity to effectively manage the risks associated with data breaches."