Todd Hicks, CEO of Intelligize. Courtesy of Intelligize.

In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies “have blinders on” when it comes to disclosing cybersecurity risks, according to a new report.

From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies—38 percent—citing cybersecurity as a risk factor in quarterly and annual filings.

What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies

The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies “either they have blinders on—or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers,” he said.

But Hicks added that he expects to see more reporting from companies in the coming years. “For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure,” Hicks said.

And this is particularly true if clarity is provided to companies on disclosure, Hicks said. In 2011, the SEC issued disclosure guidance around cybersecurity risks, advising that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” The SEC has since formed a cyber unit intended to combat cyber-based threats, but the guidance on disclosure has not been updated in over six years, Hicks said.

“Many issuers struggle with both the timing of disclosure around a material breach as well as determining exactly how much to disclose, especially if there is an ongoing investigation related to the breach,” he explained. “Greater clarity and guidance from the SEC will certainly trigger broader reporting around this topic.”

As is pointed out in the report, cybersecurity issues not only present a risk to a company's reputation, but can also mean backlash for company execs. Sony Pictures Entertainment Inc. CEO Amy Pascal was fired after the 2014 hack of that company, for instance, and Equifax Inc. CEO Richard Smith retired in the wake of his company's massive breach announced in September. But with the sudden departure earlier this year of former Yahoo Inc. general counsel Ron Bell behind the tech giant's two massive breaches, this risk has reached the legal department as well.

“Cybersecurity is a mainstream board-level issue—senior-level executives and the GC of organizations must protect the assets of the business,” Hicks said. “The GC needs to work closely with the board to ensure a proper cybersecurity plan is in place. In addition to the CEO, the GC has been the fall guy after some major cyber events, including the recent Yahoo and Equifax breaches.”

Todd Hicks, CEO of Intelligize. Courtesy of Intelligize.

In recent years, the number of companies identifying cybersecurity as a risk factor in U.S. Securities and Exchange Commission filings has grown tremendously. But there appears to have been a leveling off in 2017, which may indicate that companies “have blinders on” when it comes to disclosing cybersecurity risks, according to a new report.

From 2012 to 2016, the number of companies reporting cybersecurity as a risk factor in SEC filings has grown 277 percent, the report from Intelligize Inc. shows. Despite that increase though, the report, which is based on all public company SEC filings from 2012 to this year, indicates that there's still only a relatively small proportion of all public companies—38 percent—citing cybersecurity as a risk factor in quarterly and annual filings.

What's more, the report said, while by 2016, 1,662 public companies reported cybersecurity was a risk factor, as of Oct. 31 of this year, that number had only seen a slight bump to 1,680 companies

The slowdown in disclosing cyber as a risk may indicate one of two things, Todd Hicks, CEO of Intelligize, said in an email. It means companies “either they have blinders on—or they are deliberately not acknowledging the risks because they don't want to tip off potential hackers,” he said.

But Hicks added that he expects to see more reporting from companies in the coming years. “For the 62 percent of public companies not disclosing, I would expect that number to get smaller over the next few years, especially as the SEC gets stricter on rules around specific risk factor disclosure,” Hicks said.

And this is particularly true if clarity is provided to companies on disclosure, Hicks said. In 2011, the SEC issued disclosure guidance around cybersecurity risks, advising that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.” The SEC has since formed a cyber unit intended to combat cyber-based threats, but the guidance on disclosure has not been updated in over six years, Hicks said.

“Many issuers struggle with both the timing of disclosure around a material breach as well as determining exactly how much to disclose, especially if there is an ongoing investigation related to the breach,” he explained. “Greater clarity and guidance from the SEC will certainly trigger broader reporting around this topic.”

As is pointed out in the report, cybersecurity issues not only present a risk to a company's reputation, but can also mean backlash for company execs. Sony Pictures Entertainment Inc. CEO Amy Pascal was fired after the 2014 hack of that company, for instance, and Equifax Inc. CEO Richard Smith retired in the wake of his company's massive breach announced in September. But with the sudden departure earlier this year of former Yahoo Inc. general counsel Ron Bell behind the tech giant's two massive breaches, this risk has reached the legal department as well.

“Cybersecurity is a mainstream board-level issue—senior-level executives and the GC of organizations must protect the assets of the business,” Hicks said. “The GC needs to work closely with the board to ensure a proper cybersecurity plan is in place. In addition to the CEO, the GC has been the fall guy after some major cyber events, including the recent Yahoo and Equifax breaches.”