Wong Edan's
Cover
Cybersecurity

The 2022 Cyber Audit: Ransomware, Secrets, and Digital Chaos

March 02, 2026 • By Azzar Budiyanto

Welcome back, you beautiful, data-obsessed caffeine addicts! It is your favorite Wong Edan here, currently vibrating at a frequency high enough to intercept Wi-Fi signals because I just finished reading the Audit Analytics 2022 Cybersecurity Report. Grab your tinfoil hats and a very stiff drink, because if you thought 2022 was just about the world trying to remember how to wear pants after the pandemic, you are sorely mistaken. In the digital underworld, it was the Wild West, but with better encryption and way more ransomware.

Today, we are diving deep—and I mean “Marianas Trench” deep—into the metrics that defined the cybersecurity landscape of 2022. We are talking about the Audit Analytics data that reveals a terrifying truth: the gap between what is happening in the server rooms and what is being told to the SEC is wider than the ego of a Silicon Valley “visionary.” We have got ransomware spikes, disclosure dodges, and internal control failures that would make a SOX auditor weep openly in a cubicle. Let’s get into the madness.

The 44 Percent Headache: Ransomware’s Renaissance

Let’s start with the headline that should have been screaming from every monitor: Ransomware attacks increased by 44% in 2022. Think about that for a second. While most of us were arguing about the price of gas, cybercriminals were busy scaling their operations like they were aiming for a Series C round of funding. But they weren’t building apps; they were building digital gallows.

According to the Audit Analytics findings, this 44% jump wasn’t just a fluke. It represents a shift in strategy. We moved from the “spray and pray” method of the early 2010s to “surgical strikes.” In 2022, the bad actors became more professional. We saw the rise of Ransomware-as-a-Service (RaaS), where high-level developers rent out their malware to “affiliates” for a cut of the profit. It’s basically the McDonald’s franchise model, but instead of Big Macs, they serve up encrypted hard drives and existential dread.

Why does this matter for auditors? Because ransomware isn’t just an IT problem anymore; it is a going concern problem. When a company’s entire database is locked behind a 256-bit wall, they aren’t just losing data; they are losing the ability to function. The Audit Analytics report highlights that these attacks are increasingly targeting the supply chain, meaning one breach can cascade through dozens of companies like a line of digital dominoes.

The Great SEC Disappearing Act: The 43 Percent Mystery

Now, this is where things get truly “Wong Edan” crazy. Audit Analytics pointed out a statistic that should make every investor’s skin crawl: less than half—specifically about 43%—of cybersecurity breaches were disclosed in an SEC filing. Let that sink in. If you are looking at a company’s 8-K or 10-K to figure out if they’ve been hacked, you are basically flipping a coin, and the coin is rigged.

Why the secrecy? It boils down to one word that lawyers love and engineers hate: Materiality. In 2022, companies had a massive amount of leeway to decide if a breach was “material” enough to warrant telling the public. If a hacker made off with 10,000 customer records, the board might look at their billion-dollar valuation and say, “Eh, that’s just a rounding error. No need to spook the shareholders.”

But here is the kicker: Audit Analytics found that the types of breaches being disclosed were changing. While 188 breaches were analyzed in depth, many companies opted to hide behind vague language or omit the incident entirely from formal regulatory filings, choosing instead to bury it in a press release or a footnote that requires a magnifying glass and a law degree to find. This lack of transparency is exactly why the SEC eventually stepped in with new rules in late 2023 and 2024, but in 2022? It was the era of “don’t ask, don’t tell, just hope the hackers go away.”

The Disclosure Timeline: Why Speed is a Myth

If you think companies find a breach and immediately hit the “Alert the Public” button, you probably also believe that “unlimited data” plans actually have no limits. The 2022 data shows a massive lag between the date of occurrence and the date of disclosure. On average, it took months for companies to even realize they had been compromised, and then several more weeks to navigate the legal minefield before filing with the SEC.

Audit Analytics tracks the “Cybersecurity Breach Time-to-Disclosure” metric, and the results are sobering. For many, the “Mean Time to Detect” (MTTD) remained stubbornly high. Hackers were sitting in systems for an average of 100+ days before someone noticed the suspicious traffic or the weird admin logins from a country the company doesn’t even do business in. By the time the SEC filing hits the wires, the data has already been sold on the Dark Web three times over.

Historical Trends: 2011 to 2022

To understand 2022, we have to look back. Audit Analytics has been tracking these disclosure trends since 2011, and the trajectory is like a roller coaster that only goes up and has no brakes. In 2011, a “breach” was often an accidental leak—someone left a laptop in a taxi or emailed a spreadsheet to the wrong “John Smith.”

Fast forward to 2022, and the nature of these events has shifted from “oops” to “organized crime.” The report highlights that while the number of disclosed breaches saw some fluctuations, the severity and sophistication skyrocketed. We are seeing a move away from simple malware toward complex, multi-stage attacks involving social engineering, zero-day vulnerabilities, and the exploitation of third-party vendors (hello, SolarWinds hangover).

“The evolution of cybersecurity disclosures reflects a cat-and-mouse game where the mouse is now armed with a rocket launcher and the cat is still trying to figure out how to open the box.” — Every stressed-out CISO ever.

The SOX 404 Connection: Internal Controls are Failing

Let’s talk about Internal Controls over Financial Reporting (ICFR). I know, I know—it sounds boring. But in the world of Audit Analytics, this is the “Secret Sauce.” On August 2, 2022, they released a report on SOX 404 disclosures, and the overlap with cybersecurity is impossible to ignore. If your internal controls are weak, your cybersecurity is likely a flaming dumpster fire.

When a company reports a “material weakness” in its internal controls, it is often related to “IT General Controls” (ITGC). In 2022, Audit Analytics noted that a significant portion of these weaknesses stemmed from poor access controls. Basically, people had access to systems they shouldn’t have, passwords weren’t being rotated, and multi-factor authentication (MFA) was being treated as an optional suggestion rather than a requirement.

If a hacker gets into your system because an intern’s password was “Password123” and they had admin rights to the entire financial ledger, that is a failure of ICFR. The 2022 data shows that as cybersecurity breaches increased, so did the scrutiny on these internal controls. Auditors are no longer just looking at the balance sheet; they are looking at the firewall logs. If they aren’t, they are failing at their jobs.

PCAOB and IASSB: Raising the Bar

In 2022, both the PCAOB (Public Company Accounting Oversight Board) and the IASSB released changes to auditing standards. These weren’t just tweaks; they were structural reinforcements. They strengthened the requirements surrounding the use of “other auditors” and increased the pressure on primary auditors to verify the work of specialists—including cybersecurity experts.

This means that in the 2022 audit cycle, we started seeing Audit Fees climb. Audit Analytics’ 2023 Audit Fees Report confirms that companies were paying more for their annual audits. Why? Because the auditors had to do more work to ensure that “Cybersecurity Risk” wasn’t just a buzzword in the “Risk Factors” section of the 10-K, but a quantified, mitigated threat. You want a clean audit opinion in a world of 44% ransomware increases? You’re going to have to pay for it.

The Anatomy of a 2022 Breach Disclosure

Let’s look at what actually goes into an Audit Analytics-style analysis of a breach. When they look at the 188 breaches from the 2022 report, they aren’t just looking at the “Who” and the “When.” They are looking at the “How.”

  • The Entry Point: Phishing remained the king of the mountain. Despite all the training, people still click on links promising “Invoice_Urgent_Final.pdf.exe.”
  • The Impact: It wasn’t just PII (Personally Identifiable Information). In 2022, we saw an increase in the theft of Intellectual Property (IP) and trade secrets. This is harder to quantify in a dollar amount but much more damaging long-term.
  • The Remediation: Companies spent millions on “forensic services” and “credit monitoring.” Audit Analytics tracks these costs, and they are ballooning. In some cases, the cost of fixing the breach was 10x the amount of the actual ransom demanded.

One of the most fascinating bits of data is the City and County of Denver’s approach to continuous auditing. They used audit analytics to identify high-risk areas by repeatedly performing updated analyses of transactional data. This is the future. If you are only auditing once a year, you are already dead. You need to be auditing at the speed of the hackers, which is to say, constantly.

The Transparency Barometer: Why Boards are Sweating

The Audit Committee Transparency Barometer (produced with the CAQ) showed that in 2022, audit committees were finally starting to take cybersecurity seriously—at least on paper. More committees were identifying cybersecurity as a top priority. But there is a difference between “talking about it in a meeting” and “actually funding the CISO’s budget.”

Audit Analytics points out that while the disclosure of audit committee oversight of cyber-risk is increasing, the specificity is still lacking. We get a lot of boilerplate language like “The committee oversees the company’s risk management processes, including cybersecurity.” Thanks, Captain Obvious. What we want to see—and what the 2022 data suggests we are missing—is how they are actually measuring that risk. Are they using the NIST framework? Are they performing penetration tests? Are they looking at the Audit Analytics data to see how they compare to their peers?

Technical Deep Dive: The Effectiveness of Cybersecurity Audits

According to a study cited in ScienceDirect regarding the effectiveness of these audits, there is a strong correlation between the planning phase and the performance phase of an audit, but—and this is a huge “but”—there is a weak correlation when it comes to reporting about cyber-risk management. Basically, auditors are good at finding the problems, but companies are still struggling (or resisting) to report those problems accurately to the stakeholders.

This is where Audit Analytics provides the most value. They act as the “B.S. Detector.” By aggregating data from thousands of filings, they can show that while Company A says their cybersecurity is “robust,” their actual disclosure history and internal control weaknesses suggest it is held together by duct tape and prayers.

Common Internal Control Failures in 2022

If we look at the ICFR – SOX 404 data from Audit Analytics, the most common failures that led to cyber vulnerabilities in 2022 were:

  1. Inadequate Segregation of Duties (SoD): The same person who can create a vendor can also authorize a payment. In a cyber context, the same person who manages the backups also has the keys to delete them. This is a ransomware actor’s dream.
  2. Lack of Timely Terminations: Employees who left the company months ago still had active VPN access. If a disgruntled ex-employee (or someone who stole their credentials) decides to log back in, it’s game over.
  3. Poor Patch Management: Companies were still getting hit by vulnerabilities that had patches available for months. In 2022, “zero-day” attacks were flashy, but “old-day” attacks (exploiting unpatched systems) were the real bread and butter of the cybercrime world.

The Financial Toll: Audit Fees and Beyond

Let’s talk money, because at the end of the day, everything in the Audit Analytics report eventually shows up on the bottom line. The 2023 Audit Fees Report (reflecting 2022 work) showed a general upward trend. As the complexity of the digital environment grows, the “hours required” by the Big Four and other accounting firms to sign off on an audit are increasing.

But it’s not just audit fees. It’s Cyber Insurance. In 2022, the insurance market lost its mind. Premiums spiked, coverage narrowed, and insurers started demanding proof of things like MFA and endpoint detection before they would even issue a quote. Audit Analytics data is now being used by insurers to assess the “audit quality” of a company as a proxy for their cyber-risk. If your auditor is constantly finding material weaknesses, your insurance premium is going to look like a phone number.

The 43 Percent Re-visited: Why the SEC Had Enough

We need to circle back to that 43% disclosure rate because it is the “smoking gun” of the 2022 report. Out of 188 major breaches analyzed by Audit Analytics, the fact that more than half didn’t make it into a formal SEC filing is the reason we now have the SEC Final Rule on Cybersecurity Disclosures (which was finalized later but driven by this exact 2022 data).

The SEC realized that companies were playing games. They were using the “materiality” loophole to keep bad news away from investors. The 2022 Audit Analytics report served as the data-driven evidence that self-regulation was failing. The variation in how incidents were reported—some in the 10-K, some in the 8-K, some in the proxy statement, and some not at all—created a fragmented landscape where investors couldn’t accurately price risk.


// Example of the "Materiality" Logic in 2022
if (breach.cost < (annual_revenue * 0.05)) { disclosure = "Optional / Press Release"; } else if (breach.cost > (annual_revenue * 0.05) && lawyers.say("It's fine")) {
disclosure = "Vague footnote in 10-K";
} else {
disclosure = "Actually file an 8-K (and prepare for stock drop)";
}

This “Wong Edan” logic is exactly what the new rules aim to kill. Now, companies have a 4-day window to report a material incident. But in 2022? It was the Wild West, and the cowboys were all wearing suits and hiding the loot.

Conclusion: The Lesson of the 2022 Report

So, what have we learned from the Audit Analytics 2022 Cybersecurity Report? We learned that ransomware is no longer a threat; it is a certainty. We learned that the “Materiality” loophole was being used to keep investors in the dark. And we learned that the bridge between cybersecurity and financial auditing is finally being built—even if it’s being built while the city is on fire.

For the tech-heads and the data-nerds, the message is clear: Data is only as good as its disclosure. You can have the best EDR, the fanciest firewall, and a SOC that never sleeps, but if your company’s internal controls are weak and your board is allergic to transparency, you are a ticking time bomb. Audit Analytics isn’t just giving us numbers; they are giving us a map of the minefield.

2022 was a wake-up call. The 44% increase in ransomware was the alarm, and the 43% disclosure rate was us hitting the “snooze” button. But as we move further into the decade, the SEC and the auditors are making sure that snooze button doesn’t work anymore. Stay paranoid, stay updated, and for the love of all that is holy, check your MFA settings. This is Wong Edan, signing off before the hackers find my secret stash of high-grade Indonesian coffee beans.

Sources and Context: This analysis is based on the comprehensive data sets provided by Audit Analytics, including their “Cybersecurity Breach Disclosures” reports, “SOX 404 Disclosures” reports, and “Audit Fees” reports for the 2022 fiscal year.