When hackers infiltrated IT infrastructure firm SolarWinds’ software supply chain in 2020, injecting malicious code into updates distributed to thousands of customers, including government agencies and private companies, the incident exposed a chilling business reality: modern cyberattacks create cascading effects that can remain hidden for months.

The SolarWinds breach exemplified what new research identifies as a growing crisis in cybersecurity – data breaches are taking progressively longer to surface, creating dangerous blind spots that cost organisations US$4.44 million per data breach on average globally. This pattern extends far beyond headline-grabbing incidents like SolarWinds, according to the research into data breach reporting in the US. It revealed that the time between when attacks occur and when businesses report them lengthened significantly after 2017, fundamentally reshaping how companies must approach cyber risk management.

The research, which was conducted by Professor Bernard Wong and Adjunct Professor Greg Taylor from the School of Risk and Actuarial Studies at UNSW Business School, together with Professor Benjamin Avanzi and Dr Xingyun Tan from the Centre for Actuarial Studies at the University of Melbourne, analysed state attorneys general's data covering thousands of breach notifications. Unlike previous studies that relied on media reports or commercial databases with inconsistent collection standards, this analysis used government-mandated reporting data to provide the most reliable picture yet of America’s cyber breach landscape.

The growing reporting gap creates business blind spots

Published in the North American Actuarial Journal, the study revealed a concerning trend: organisations took progressively longer to report breaches to regulators after 2017. In California, breaches affecting more than 500 residents took two quarters to reach a 65% reporting rate for incidents occurring in early 2012, but required three full quarters for breaches occurring in late 2021.

This lengthening delay signals more than administrative inefficiency. “Longer intruder dwell times continue to be associated with greater potential impact of a data breach,” the researchers noted, referencing industry findings that show attack costs escalating dramatically when criminals remain undetected for extended periods.

The business implications are substantial, according to industry research from IBM. It found that data breaches with a lifecycle under 200 days cost an average of US$3.87 million, while data breaches with a lifecycle exceeding 200 days had the highest average cost of US$5.01 million – a difference of US$1.14 million or 29.5%.

Learn more: A cyberwar could cost $30 billion in weeks. But where's the real loss?

“While examining the Privacy Rights Clearinghouse database – widely used in cyber research – I noticed they sourced data from state attorneys general,” said Prof. Wong. “These government datasets were publicly accessible but surprisingly untapped by researchers. What started as curiosity about an overlooked resource led me to dive into state data breach notification laws and individual breach notice letters.”

Prof. Wong explained that his surprise was twofold. First, these state-level datasets provided dates of occurrence and consistent reporting standards that could resolve the contradictory frequency trends plaguing the literature. Second, by examining the actual breach notices, he discovered many breaches shared the same root cause – third-party incidents affecting multiple organisations – which appeared as single events in the Privacy Rights Clearinghouse dataset but multiple correlated events in state data.

“This revealed that the true impact and interdependencies of cyber breaches were being systematically underestimated,” Prof. Wong stated.

COVID-19 marked a turning point in cyber risk

The research identified 2020 as a watershed moment for cybersecurity. Data breach frequency remained relatively stable across all analysed states before 2020, but showed marked increases afterwards. This pattern held consistently across different breach sizes and geographic regions, supporting the hypothesis that pandemic-driven digital transformation created new vulnerabilities.

“The frequency of data breaches remained relatively stable prior to 2020 but showed an upward trend post-2020 across severity levels and states,” the researchers found. This shift coincided with widespread remote work adoption and accelerated digitalisation, creating attack surfaces that cybercriminals exploited.

The timing suggests that organisations rushing to enable remote work may have inadvertently opened cybersecurity gaps that persist today. Accordingly, the research suggests business leaders must recognise that pandemic-era digital changes created lasting cyber risk elevations requiring ongoing attention and investment. “Our research reveals that data breach frequency remained relatively stable before 2020 but showed a significant upward trend afterwards, coinciding with the widespread shift to remote work during the COVID-19 pandemic,” said Prof. Wong.

“With remote and hybrid work now permanent fixtures in many organisations – and studies showing remote workers face 2-3 times higher cyberattack rates than office-based employees – businesses must adapt their security strategies beyond traditional perimeter defences to address the expanded attack surface of distributed workforces, including unsecured home networks, personal devices, and cloud-based collaboration tools.”

Large breaches hide longer than small ones

The researchers analysed state Attorneys-General databases across California, Delaware, Indiana, Maine, Montana, North Dakota, Oregon, and Washington. This approach allowed them to separate actual frequency trends from reporting delays and changing disclosure requirements, providing more accurate risk assessments than previous studies based on partially media-derived data.

This analysis revealed that breach size directly correlates with reporting delays. Larger incidents affecting hundreds or thousands of individuals took longer to surface than smaller breaches, creating particular risks for organisations handling substantial customer databases.

Subscribe to BusinessThink for the latest research, analysis and insights from UNSW Business School

While 90% of smaller breaches (affecting fewer than 250 people) were disclosed within one year of occurrence, larger breaches required up to 18 months to reach similar reporting levels. This pattern suggests that attackers targeting major datasets may employ more sophisticated concealment techniques, or that organisations face greater complexity in detecting and investigating large-scale intrusions.

“Our research reveals that cyberattackers are increasingly sophisticated when targeting high-value organisations, as evidenced by incidents like the SolarWinds breach where malicious code injected into a single software update compromised thousands of government agencies and private companies, and the 2024 Salt Typhoon campaign where Chinese state actors penetrated nine major US telecommunications firms using advanced persistent threats and ’living off the land’ techniques,” said Prof. Wong.

“These third-party breaches create significant knock-on risks, as a single compromise at a service provider can cascade across all connected organisations – turning what appears to be an isolated incident into a systemic threat affecting entire supply chains, with recent statistics showing an 81% year-over-year increase in ransomware attacks and supply chain vulnerabilities now being actively exploited as weak links.”

States show troubling similarities in breach patterns

Perhaps most concerning for business continuity planners, the research found that different states experienced remarkably similar breach reporting patterns and timing. This synchronisation suggests systemic vulnerabilities rather than isolated incidents.

The researchers identified three potential explanations for this pattern – none of which are encouraging for risk managers. First, many breaches affect residents across multiple states, requiring organisations to navigate complex multi-jurisdictional reporting requirements. Second, third-party service provider breaches create cascading effects across client organisations nationwide. Third, attackers may be launching coordinated campaigns or exploiting common vulnerabilities simultaneously across geographic boundaries.

“Positive dependencies across organisations reduce diversification benefits over insureds from the portfolio perspective, compared to more independent policies,” warned the study, which said this interconnectedness means that cyber insurance portfolios face concentrated risks that traditional risk models may underestimate.

The insurance industry faces a fundamental reassessment

The research findings strike at the heart of cyber insurance risk modelling, revealing that traditional actuarial methods may systematically underestimate liabilities. The study found that cyber insurance operates as a “short-tailed business” with at least 80% of breaches reported within a year of occurrence, but lengthening reporting delays are stretching this timeline and creating new uncertainties.

Most critically, the basic chain-ladder method widely used for insurance reserving may significantly underestimate ‘Incurred But Not Reported’ (IBNR) claims. “The basic chain-ladder method of reserving should not be used to predict IBNR breaches, because it may lead to underestimation,” the researchers warned. The shifting reporting patterns across all investigated states and breach severities contradict the method’s core assumption of consistent development patterns.

Learn more: Cybersecurity governance: are directors doing enough?

For insurers writing policies on a discovery basis (where coverage applies to incidents discovered during the policy period rather than when they occurred), the implications are significant. Extended dwell times mean insurers face greater uncertainty about whether potential policyholders have already been compromised at underwriting. The research recommends that insurers “more thoroughly assess the historical attack probability of the insured” and “direct more efforts toward forecasting the financial coverage of IBNR data breach claims”.

Strategic implications for business and insurance leaders

The research suggests that traditional assumptions about breach detection and reporting timelines require updating, particularly for organisations operating across multiple jurisdictions or relying heavily on third-party service providers.

Organisations must also invest more heavily in breach detection capabilities and assume that sophisticated attackers may already be present in their networks when purchasing cyber insurance coverage. The days of assuming cyber incidents would surface quickly have passed, replaced by a landscape where patient, persistent threats can hide for quarters before detection.

Similarly, insurance companies should abandon outdated assumptions about cyber risk development patterns and implement more sophisticated reserving methods that account for evolving reporting delays. The research recommends quarterly monitoring of IBNR estimates rather than annual assessments, recognising that cyber risks develop differently from traditional insurance lines.

Underwriters should also incorporate extended historical vulnerability assessments, particularly for discovery-basis policies where organisations with strong security postures implemented only recently face elevated risks from pre-existing but undetected intrusions. Insurers should avoid assuming favourable positions when early development quarters show lower-than-expected claims, as significant reporting spikes can occur in later quarters.

Pricing models may also require adjustment to reflect the interconnected nature of modern cyber risks, with premium calculations incorporating the reduced diversification benefits evident in the cross-state pattern similarities. The stable pre-2020 environment that informed many current models has given way to elevated post-pandemic risk levels requiring fundamental recalibration.

“Our findings show cyberbreach reporting delays are lengthening and frequencies have increased post-2020, with strong correlations across states suggesting interconnected risks,” said Prof. Wong. “For insurers and businesses, this means traditional risk models are likely underestimating cyber-exposures – organisations must adopt more sophisticated approaches that account for evolving reporting patterns and recognise that in today’s interconnected digital landscape, cyber risk is not just growing but becoming more volatile and interdependent across organisations.”

Learn more: Australia should adopt 'gold standard' in data laws after Optus leak

Cyber breach insurance FAQ

Q: What is dwell time in a cyber breach?
A: Dwell time is the period from when a malicious intrusion occurs until it is detected or disclosed.

Q: Why are breach reporting delays increasing after 2017?
A: The research shows that mandatory notification rules, investigative complexity, and detection challenges have contributed to lengthening delays.

Q: How do longer reporting lags affect cyber insurance models?
A: Extended delays increase uncertainty, making IBNR (incurred but not reported) liabilities harder to reserve and risk models more volatile.

Q: What role do third-party service providers play in reporting delays?
A: Breaches originating in third-party systems often cascade across clients and complicate timely detection and disclosure across jurisdictions.

Q: How should organisations respond given the rising reporting gaps?
A: They should invest in faster detection, cross-state monitoring, assume longer dwell times, and test insurance coverage under discovery-basis models.

Q: Does breach frequency really increase after 2020?
A: Yes – after adjusting for reporting delays, the study finds frequencies stable before 2020 and increasing post-2020 across states.