Data breach frequency analysis visual

Decoding Data Breaches: The Truth Behind Reporting Patterns & Frequency

Rhea Morgan in Tech & Innovation December 2025 • 4 min read.

"A deep dive into U.S. data breach trends reveals lengthening reporting delays and a post-2020 surge in incidents, challenging cyber insurance strategies."

In today's digital age, data breaches have become a significant concern for businesses and individuals alike. Cyber insurance and effective risk management strategies rely heavily on understanding how these breaches emerge and evolve. While existing research has explored data breach frequency trends, the conclusions have often been contradictory. The primary reason behind those disagreements may lie in the inconsistent data collection standards and reporting patterns that vary across time and regions.

This article addresses those variations head-on, providing a comprehensive analysis of data breach publications from Attorneys General across eight U.S. states. By carefully controlling for data collection standards and reporting patterns, we aim to uncover complexities of reporting, accurately estimate Incurred But Not Reported (IBNR) data breaches, and assess historical frequency trends with greater reliability. We will also compare data breach frequency across these eight states to offer a more nuanced understanding of state-specific differences in cyber risk, which is a topic that has not been extensively discussed.

Additionally, our investigation will highlight novel features not previously covered in the literature, such as differences in cyber risk frequency trends between large and small data breaches. Overall, we find that reporting delays are lengthening, and frequency is relatively stable before 2020 but increasing after 2020. With our findings, this will have implications for cyber insurance reserving, pricing, underwriting, and experience monitoring.

Behind the Numbers: How Data Collection Affects Breach Reports

Cybersecurity Ventures estimates that cybercrime will cost the world $8 trillion USD in 2023, and that number is expected to reach $10.5 trillion by 2025. Insurers operating across multiple states must account for jurisdictional differences and risk factors to price their products accurately. One crucial element of cyber risk is data breaches, defined as illegal and unauthorized access to personal information that compromises security, confidentiality, or integrity. With this in mind, one needs to grasp the statistical properties of cyber incidents as well as model their frequency and severity.

Unfortunately, current understanding is lacking, due to disagreement. Conclusions about cyber frequency trends are often based on three databases: the Data Breach Chronology provided by the Privacy Rights Clearinghouse, Cyber Loss Data by Advisen, and SAS OpRisk Global Data by SAS. Since their exact data collection standards are unknown, it is challenging to judge the reliability of any particular conclusion. Enhanced data collection capacities over time could cause increases in event counts even if the risks remain the same. Such factors include:

Introduction of various reporting mandates may lead to sudden increases in the number of events reported.
Increasing media attention in cybersecurity.
More data sources used by data maintainers.

To reliably assess frequency trends, one should analyze data that follow established and consistent data collection standards over time and space, which allows one to precisely delineate the scope of the conclusions and mitigate the influence of biases on event counts.

The Bigger Picture: How This Data Impacts Cyber Insurance

This article sheds new light on data breach frequency and reporting patterns by utilizing an underrecognized set of public data provided by U.S. state Attorneys General. First, the average reporting delay of data breaches has lengthened after 2017. In light of this finding, cyber insurers may expect a higher cost of data breaches, and should direct more effort towards forecasting the financial coverage of incurred but not reported (IBNR) data breach claims. The underwriting of policies on a discovery basis should incorporate a greater assessment of historical attack probability of the insured.

About this Article -

This article was crafted using a human-AI hybrid and collaborative approach. AI assisted our team with initial drafting, research insights, identifying key questions, and image generation. Our human editors guided topic selection, defined the angle, structured the content, ensured factual accuracy and relevance, refined the tone, and conducted thorough editing to deliver helpful, high-quality information.See our About page for more information.

This article is based on research published under:

DOI-LINK: https://doi.org/10.48550/arXiv.2310.04786,

Title: On The Evolution Of Data Breach Reporting Patterns And Frequency In The United States: A Cross-State Analysis

Subject: q-fin.rm cs.cr

Authors: Benjamin Avanzi, Xingyun Tan, Greg Taylor, Bernard Wong

Published: 07-10-2023

Everything You Need To Know

What are the primary factors that contribute to the varying conclusions regarding data breach frequency trends?

Disagreements in conclusions about data breach frequency stem from inconsistent data collection standards and reporting patterns. Variations exist across time and regions. These inconsistencies are often rooted in data collection standards, the introduction of reporting mandates, increased media attention on cybersecurity, and the use of diverse data sources by data maintainers. Addressing these variations is crucial for accurate assessments. The article analyzes data breach publications from Attorneys General across eight U.S. states, controlling for these factors to uncover reporting complexities and assess historical frequency trends with greater reliability.

How does the lengthening of reporting delays impact cyber insurance and what does this mean for Incurred But Not Reported (IBNR) data breaches?

The lengthening of reporting delays after 2017 has significant implications for cyber insurance. Insurers may anticipate higher costs related to data breaches. This necessitates greater effort in forecasting the financial coverage of Incurred But Not Reported (IBNR) data breach claims. IBNR refers to data breaches that have occurred but haven't yet been reported. The lengthening delays imply that more incidents will remain unreported for longer, increasing uncertainty and the potential financial burden on insurers.

In the context of data breaches, what are the key considerations for cyber insurers when operating across multiple states?

Cyber insurers must consider jurisdictional differences and risk factors to price their products accurately. The core of cyber risk, data breaches, which involve illegal and unauthorized access to personal information that compromises security, confidentiality, or integrity, necessitates understanding statistical properties. Insurers need to model the frequency and severity of cyber incidents and account for variations in state-specific cyber risk. This involves assessing differences in reporting patterns, and understanding the impact of state-specific regulations and risk profiles.

What is the significance of analyzing data from U.S. state Attorneys General in understanding data breach trends, and how does this approach improve upon existing research?

The article utilizes public data provided by U.S. state Attorneys General to shed light on data breach frequency and reporting patterns. Existing research often relies on databases with unknown data collection standards, making conclusions unreliable. This approach offers enhanced reliability by carefully controlling for data collection standards and reporting patterns. This approach allows for a more nuanced understanding of state-specific differences in cyber risk, something not extensively discussed before. The analysis also highlights novel features, such as differences in cyber risk frequency trends between large and small data breaches.

What are the implications of the study's findings on data breach frequency, especially the increase observed after 2020, for cyber insurance practices like underwriting and experience monitoring?

The findings, including lengthening reporting delays and increased frequency after 2020, have several implications for cyber insurance. Insurers should reassess their reserving, pricing, and underwriting strategies. The underwriting of policies on a discovery basis should incorporate a greater assessment of historical attack probability of the insured. Experience monitoring, which involves tracking the performance of insurance policies, will need to adapt to account for the changing frequency trends. These adjustments are crucial for maintaining financial stability and accurately assessing the risk associated with cyber insurance policies.