Majority of cybersecurity incidents go unreported to SEC, analysis finds

Of the 42 public companies that experienced a known cybersecurity incident in 2018, four disclosed the event to the Securities and Exchange Commission in regulatory filings, according to an analysis by SEC Commissioner Robert J. Jackson Jr.'s office.

That 9.5% disclosure rate is up from 2017, when there were 82 cybersecurity incidents at public companies and just four, or 4.9%, filed an 8-K disclosing the breach, Mr. Jackson's office said. The analysis is based on data compiled by the non-profit Identity Theft Resource Center.

In February 2018, the SEC updated its 2011 guidance for public companies designed to tell those companies how to disclose cybersecurity risks and procedures. The update added two topics: the importance of having cybersecurity policies and procedures in place, and bans on stock trading by board members and executives after a cybersecurity incident. However, the commission's two Democrats at the time, Kara M. Stein, whose term has since expired, and Mr. Jackson, said the update didn't go far enough.

The guidance does not require companies to disclose cybersecurity incidents in their filings, and in a speech last March on this topic, Mr. Jackson noted that not every incident tabulated in his analysis was "material."