On Gaps in Enterprise Cyber Attack Reporting.

It has long been lamented that firms underreport cyber attacks. In recent years, regulators have begun mandating that certain organizations must publicly report when incidents occur. Adherence to these requirements is an empirical question that has been largely unexamined to date. In this paper, we study regulatory filings by U.S. public companies to the Securities Exchange Commission and to the Department Health and Human Services that discuss cyber attacks. We also compare the findings against crowdsourced reports of cyber incidents appearing in media outlets. We find substantial gaps in coverage, both in terms of attacks that make the news but do not appear in regulatory filings and vice versa. We conclude by discussing the implications for the study of cyber attack and defense as well as for policymakers.