Throughout the United States, cyber security has been on the rise - which in turn has emphasized the importance of a robust cybersecurity framework throughout organizations.


Audit Analytics’ “Trends in Cyber Security Breach Disclosures” has released a report providing information on data breaches throughout 2021 and showed that there were 188 disclosed breaches spanning 169 companies, which has now set the record for the most data breaches in any given year since record-keeping began in 2011.

While this number may appear to be low, the number of breaches has only been trending upward as cybersecurity breaches have increased by 118% with ransomware attacks increasing by 44% between 2020 and 2021. In addition, since 2011 the total number of disclosed incidents has increased by nearly 600%.

Reported Data

The most common types of attacks included unauthorized access being part of 41% of total attacks, with ransomware being part of 24%, misconfiguration at 9%, and malware and phishing both being 6%.

Various forms of information have been stolen throughout these numerous cyberattacks with personal information being stolen 45% of the time, financial information 22% of the time, and with intellectual property being stolen 11% of the time. Of the personal information being stolen 52% were names and 34% were Social Security numbers.

With the number of data breaches on the rise, fortunately, the discovery period reduced significantly with companies taking an average of 42 days to discover a breach which is a decrease of over 22% from 2020 in which on average it took organizations 54 days to discover a breach.

On the other hand, in 2021 it took organizations an average of 80 days to disclose the breach which is significantly higher than the average of 61 days in 2020.

SEC Reporting

Much of this data has been compiled through filings with the Securities and Exchange Commission, which currently does not require organizations to disclose events of cybersecurity breaches, however, does require that organizations do file disclosure of risks that could potentially impact the company’s financial statements.

In March the SEC proposed amendments that would require all public companies to begin reporting cybersecurity incidents no later than four days after the event occurred.  

Many of the reports that were analyzed also had some disparities within them. 87% of the attacks included information pertaining to the type of attack, however, only 78% discussed the type of information that was compromised.

It is inconsistencies like these that have called for reform throughout the cybersecurity disclosure process and will ultimately result in greater regulation and compliance standards for organizations.

Organizations must be prepared to develop a robust and efficient cybersecurity process in order to best combat the growing threat in the upcoming years.