In December 2022, FBI Supervisory Special Agent Michael Sohn cautioned small businesses that they were being targeted by cybercriminals. While larger corporations are investing more in hardening their security posture, the relative weakness of smaller businesses makes them prime targets for hackers.
However, no matter how much cybersecurity a company has in place, no one can guarantee that its network will never be breached. That’s why a comprehensive risk strategy for cybersecurity includes cyber insurance and incident response to mitigate any residual risk.
Being prepared with a well-defined Incident Response (IR) plan can drastically reduce the corresponding business impact. This includes how to communicate news of the breach to affected customers. Not only does that improve trust, it’s also mandated in many jurisdictions.
In March 2022, President Biden enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This mandated that “covered entities” would soon be required to disclose breaches and ransomware payments. “Covered entities” are defined as a business in one of the 16 critical infrastructure sectors, such as chemicals, dams, financial services, and emergency services.
Many other jurisdictions, both inside and outside the USA, also have reporting requirements in place. Companies that fail to report within a certain time period often face hefty fines.
In this article, we’re going to delve into the best practices to use when reporting a breach so you can minimize reputational damage, stay in compliance, and foster a culture of trust and transparency with your customers.
Why breach reporting is important
Breach reporting is critical to any comprehensive cybersecurity strategy, serving both tactical and regulatory purposes.
Disclosing a breach helps in the following ways:
- It mobilizes affected parties.
- It accelerates remediation.
- It maintains customer trust.
Mobilizing affected parties
Breach reporting includes letting internal parties know if they were impacted or are part of the incident response strategy. These in-house stakeholders can then take appropriate action via prompt and clear communication. Such actions would include mobilizing teams like IT which can get started immediately by conducting forensic analysis and isolating affected systems. Management can prioritize resources. HR can prepare communications for employees that instruct them on appropriate security measures and responses to customers. Legal and compliance teams can start preparing for regulatory reporting requirements.
External stakeholders that need to be notified would include customers and third-party vendors. Additionally, information regarding the incident needs to be prepared in case regulators or any other government body decides to inquire about the attack. By reporting the breach’s details to them concisely and accurately, the affected parties can take measures to secure their accounts and minimize further potential damage.
Reporting the breach’s details can accelerate bringing in the expertise needed to identify the incident’s scope and resolve it. Sometimes, feedback might also be necessary from third parties or even customers to help identify the full range of the attack.
With increased knowledge of the breach’s details, the IT team can take the appropriate measures more rapidly, potentially bringing in outsourced IR teams and significantly accelerating the investigation.
Maintaining customer trust
A swift disclosure of any breach can actually increase customer trust. Communications aimed at customers should be factual and as accurate as possible. Failing to transparently disclose the breach could lead to reputation damage, which itself can increase financial losses. A global study by Deloitte found that security is one of the top three drivers of reputational risk for a company. The study also found that 41% of respondents reported revenue suffered the largest impact due to reputational risk.
Open transparent communication with customers is essential to minimize reputational risk.
The other reason breach reporting is important is regulatory. Failure to comply with the respective privacy and data protection regulations can result in hefty fines and further reputational damage.
Notification deadlines and disclosure requirements
Several jurisdictions have reporting deadlines after a breach is discovered. They also have different requirements for reporting a breach.
The following is not legal advice, and it’s important to consult with your legal counsel to verify the requirements of your jurisdiction. Here are some common requirements in force at the time of this writing.
Under the GDPR, companies must report breaches to their respective authority within 72 hours “where feasible.” The only exception is if the breach does not “result in a risk to the rights and freedoms of natural persons.”
If a company delays in reporting the breach, it needs to provide reasons for the delay.
The GDPR enforces some of the heaviest fines in the world for non-compliance. Depending on the articles violated, GDPR fines can be either:
- €10 million ($11 million) or 2% of annual turnover, whichever is higher
- €20 million ($22 million) or 4% of annual turnover, whichever is higher
When determining the penalty, the regulator must consider all circumstances, such as the level of negligence and the gravity of the breach.
California Consumer Privacy Act (CCPA)
Under the CCPA, it’s only necessary to report a breach of unencrypted data, or if there’s reason to believe that the hacker had access to the encryption keys. Like the GDPR, a company must report data breaches within 72 hours. It must also notify the California Attorney General if the breach affected more than 500 California residents.
CCPA breaches can lead to penalties as small as $100 or as high as $7,500 per incident.
New York SHIELD Act (“Stop Hacks and Improve Electronic Data Security”)
The NY SHIELD Act doesn’t specify a timeframe for reporting a breach, but the “NYS Information Security Breach and Notification Act” says, “The disclosure must be made in the most expedient time possible and without unreasonable delay upon determination of a data breach.” The same act also says that companies are allowed to delay reporting if law enforcement believes it will impede a criminal investigation.
If the breach impacts more than 500 New York residents, businesses must notify the New York State Attorney General within 10 days of becoming aware of the breach.
Violations of the NY SHIELD Act can lead to civil penalties of $5,000 per violation.
Securities and Exchange Commission (SEC) requirements
In 2022, the SEC introduced cybersecurity-related requirements for the protection of investors. Under the new rules, companies must inform investors and shareholders of “material incidents” within four business days of discovering a breach.
The new policies also require reporting on cybersecurity risk management and governance procedures to ensure investor accounts are held securely.
In March 2023, the SEC proposed updates to its cybersecurity rules that impose much more stringent disclosure requirements for covered entities. The new proposal requires that institutions adopt “written policies and procedures” for responding to incidents, including informing affected individuals within 30 days.
The overall message of the amendments is clear: Market entities—those entities that participate in the securities market—must have a robust security posture and incident response procedures in place moving forward, or they’ll incur penalties.
European NIS-2 Directive (“Network and Information Security, Version 2”)
The EU updated its EU-wide legislation on cybersecurity, the NIS.
The NIS-2 entered into force on January 6, 2023, and EU Member States must now transpose the EU-wide legislation into national laws.
The new version introduced more stringent supervisory measures and also streamlined reporting obligations. Under the NIS-2, companies must submit an initial notification to their relevant authority within 24 hours of becoming aware of the incident. Within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, the company needs to provide a final report detailing the attack’s scope and any mitigation efforts it has taken.
NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company’s annual revenue, whatever is higher.
State by State reporting requirements
All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.
What SMEs can do
SMEs have limited access to resources, so complying with reporting requirements in addition to tackling an ongoing threat can be a major challenge. Here are some tips on how best to deal with this:
- Establish a clear policy and process: This is best done by creating a comprehensive Incident Response (IR) plan and making sure everyone knows his or her role during the response through IR tabletop exercises.
- Include all categories of breaches: Not all breaches are related to PII and some might be isolated to employees only. Ensure your plan covers the different scenarios.
- Designate key stakeholders: Long before any incident, identify individuals and organizations essential to the reporting procedure. This could be internal and external stakeholders and would likely include IT, legal, communications, and management personnel. Ensure that each stakeholder knows precisely what to do during an incident.
- Collaborate with third parties: Some regulations require you to be aware of vendor security practices. It’s best to have these on record rather than trying to get them during the mad scramble that usually accompanies responding to an attack.
- Partner with outsourced experts: An SME’s best choice is to team up with an IR partner on retainer. This will significantly reduce the stress of responding to an attack because it takes a massive load off the SME’s shoulders.
How SolCyber can help
SolCyber is managed security partner that acts as a single point of contact for all of an SME’s cybersecurity needs. Clients can also take advantage of SolCyber’s partnerships with Surefire (in North America) and Sicarius (in Australia and New Zealand), both specializing in incident responses.
Working with a managed security solutions provider means that SMEs can access the full gamut of cybersecurity services without paying a fortune. This significantly reduces the chances of a cyberattack attempt being successful. If an attack does succeed, SolCyber and our IR partners can provide the necessary services to mitigate the attack as fast as possible, including following all necessary reporting procedures.
Contact us today to learn how SolCyber can help you with your cybersecurity and IR needs.
Follow us on the following social platforms!