Cyberattacks have become a daily reality for companies across all industries. No organization is safe from ransomware attacks against hospitals or phishing campaigns targeted at small businesses. Many cyber incidents are not reported, either because they want to protect their reputation, avoid regulatory scrutiny or simply don’t know what information to provide.
This raises a very important question: Should companies be required to report each cyberattack that they experience by law?
As governments push for greater transparency in cyber security, the debate is heating up. We’ll explore the two sides of the debate, current reporting laws and what mandatory disclosure might mean for consumers and businesses.
Arguments for Mandatory Reporting
1. Greater Transparency Protects Consumers
Data of customers is at risk when a company experiences a security breach. Mandatory reporting allows individuals to be notified immediately, allowing them the opportunity to take protective measures, such as changing passwords or monitoring accounts.
2. Improved National Security
Cyberattacks can affect infrastructure, healthcare and government systems. Reporting incidents allows authorities to detect patterns, identify attacks and coordinate defenses on a national scale.
3. Stronger Industry-Wide Security
Other companies can improve their defenses by learning from breaches that are revealed. Transparency raises the bar for all.
4. Accountability in Business
Without mandatory reporting, organizations may cut corners when it comes to security. Mandatory disclosure encourages companies to take cybersecurity more seriously because they know that they will have to disclose breaches.
Arguments against mandatory reporting
1. Reports in a mass of reports
Not all cyber incidents are major. If companies are forced to report all attacks, no matter how minor, they will overwhelm regulators and make it difficult to identify major threats.
2. Financial and Reputational Damage
Even if an attack is unsuccessful, it could damage a company’s stock price and reputation. This could discourage companies from innovating, or investing in cybersecurity.
3. Costs & Resources
Reporting requirements can be a burden for small businesses. Reporting minor incidents in detail can add a lot of administrative work.
4. Overexposure Risk
Cybercriminals could gain valuable insight into the vulnerabilities of a company if too much information was disclosed. Unintentionally, poorly managed reporting systems can help attackers.
Current Reporting Requirements around the World
-
European Union: Companies are required to report certain data breaches within 72 hours to the regulators and notify affected individuals without delay.
-
United States State-specific requirements vary. California law, for example, requires that consumers be notified of data breaches that involve personal information. Recently, the SEC adopted rules that require public companies to report “material” cyber incidents in four business days.
-
Australia’s Notifiable Data Breaches Scheme: Organisations must notify individuals as well as regulators when breaches may cause serious harm.
-
Other Nations Countries such as Brazil (LGPD), Canada (PIPEDA), and Canada (PIPEDA), have similar laws.
It is evident that governments are increasing their disclosure requirements, even though the thresholds vary.
Finding the Right Balance
Should companies be required to report each and every Cyberattack? Answers may be somewhere between.
-
Report Significant Incidences: Businesses must report incidents that are significant. These include breaches of sensitive data, disruptions to services or risks to society.
-
Encourage voluntary sharing: Companies could be encouraged, but not required to share information for smaller or unsuccessful attacks with industry groups or agencies.
-
Standardize Definitions: Clear guidelines as to what constitutes an “reportable incident” would help avoid confusion.
-
Support Small Businesses: Reporting regimes should be designed to accommodate the needs of small businesses and streamline processes.
Final Thoughts
Cyberattacks will happen, but secrecy shouldn’t be the default. Mandatory reporting is important for consumers’ protection, national security and accountability.
A requirement to disclose every minor incident could overwhelm both businesses and regulators. Balance is key: laws must ensure serious breaches are brought to light while still allowing for flexibility in less-critical incidents.
In the end, greater transparency is beneficial to everyone – customers, businesses and governments. It is not whether companies report cyberattacks but to whom, when, and how much.
