How to Manage Breach Reporting as Part of an IR Strategy

How to Manage Breach Reporting as Part of an IR Strategy

Avatar photo
Hwei Oh
7 min read
Share this article:

In December 2022, FBI Supervisory Special Agent Michael Sohn cautioned small businesses that they were being targeted by cybercriminals. While larger corporations are investing more in hardening their security posture, the relative weakness of smaller businesses makes them prime targets for hackers.

However, no matter how much cybersecurity a company has in place, no one can guarantee that its network will never be breached. That’s why a comprehensive risk strategy for cybersecurity includes cyber insurance and incident response to mitigate any residual risk.

Being prepared with a well-defined Incident Response (IR) plan can drastically reduce the corresponding business impact. This includes how to communicate news of the breach to affected customers. Not only does that improve trust, it’s also mandated in many jurisdictions.

In March 2022, President Biden enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This mandated that “covered entities” would soon be required to disclose breaches and ransomware payments. “Covered entities” are defined as a business in one of the 16 critical infrastructure sectors, such as chemicals, dams, financial services, and emergency services.

Many other jurisdictions, both inside and outside the USA, also have reporting requirements in place. Companies that fail to report within a certain time period often face hefty fines.

In this article, we’re going to delve into the best practices to use when reporting a breach so you can minimize reputational damage, stay in compliance, and foster a culture of trust and transparency with your customers.

Why breach reporting is important

Breach reporting is critical to any comprehensive cybersecurity strategy, serving both tactical and regulatory purposes.

Tactical importance

Disclosing a breach helps in the following ways:

  • It mobilizes affected parties.
  • It accelerates remediation.
  • It maintains customer trust.

Mobilizing affected parties

Breach reporting includes letting internal parties know if they were impacted or are part of the incident response strategy. These in-house stakeholders can then take appropriate action via prompt and clear communication.  Such actions would include mobilizing teams like IT which can get started immediately by conducting forensic analysis and isolating affected systems. Management can prioritize resources. HR can prepare communications for employees that instruct them on appropriate security measures and responses to customers. Legal and compliance teams can start preparing for regulatory reporting requirements.

External stakeholders that need to be notified would include customers and third-party vendors. Additionally, information regarding the incident needs to be prepared in case regulators or any other government body decides to inquire about the attack. By reporting the breach’s details to them concisely and accurately, the affected parties can take measures to secure their accounts and minimize further potential damage.

Accelerating remediation

Reporting the breach’s details can accelerate bringing in the expertise needed to identify the incident’s scope and resolve it. Sometimes, feedback might also be necessary from third parties or even customers to help identify the full range of the attack.

With increased knowledge of the breach’s details, the IT team can take the appropriate measures more rapidly, potentially bringing in outsourced IR teams and significantly accelerating the investigation.

Maintaining customer trust

A swift disclosure of any breach can actually increase customer trust. Communications aimed at customers should be factual and as accurate as possible. Failing to transparently disclose the breach could lead to reputation damage, which itself can increase financial losses. A global study by Deloitte found that security is one of the top three drivers of reputational risk for a company. The study also found that 41% of respondents reported revenue suffered the largest impact due to reputational risk.

Open transparent communication with customers is essential to minimize reputational risk.

Regulatory/compliance reasons

The other reason breach reporting is important is regulatory. Failure to comply with the respective privacy and data protection regulations can result in hefty fines and further reputational damage.

Notification deadlines and disclosure requirements

Several jurisdictions have reporting deadlines after a breach is discovered. They also have different requirements for reporting a breach.

The following is not legal advice, and it’s important to consult with your legal counsel to verify the requirements of your jurisdiction. Here are some common requirements in force at the time of this writing.

European GDPR

Under the GDPR, companies must report breaches to their respective authority within 72 hours “where feasible.” The only exception is if the breach does not “result in a risk to the rights and freedoms of natural persons.”

If a company delays in reporting the breach, it needs to provide reasons for the delay.

The GDPR enforces some of the heaviest fines in the world for non-compliance. Depending on the articles violated, GDPR fines can be either:

  • €10 million ($11 million) or 2% of annual turnover, whichever is higher
  • €20 million ($22 million) or 4% of annual turnover, whichever is higher

When determining the penalty, the regulator must consider all circumstances, such as the level of negligence and the gravity of the breach.

California Consumer Privacy Act (CCPA)

Under the CCPA, it’s only necessary to report a breach of unencrypted data, or if there’s reason to believe that the hacker had access to the encryption keys. Like the GDPR, a company must report data breaches within 72 hours. It must also notify the California Attorney General if the breach affected more than 500 California residents.

CCPA breaches can lead to penalties as small as $100 or as high as $7,500 per incident.

New York SHIELD Act (“Stop Hacks and Improve Electronic Data Security”)

The NY SHIELD Act doesn’t specify a timeframe for reporting a breach, but the “NYS Information Security Breach and Notification Act” says, “The disclosure must be made in the most expedient time possible and without unreasonable delay upon determination of a data breach.” The same act also says that companies are allowed to delay reporting if law enforcement believes it will impede a criminal investigation.

If the breach impacts more than 500 New York residents, businesses must notify the New York State Attorney General within 10 days of becoming aware of the breach.

Violations of the NY SHIELD Act can lead to civil penalties of $5,000 per violation.

Securities and Exchange Commission (SEC) requirements[1] 

In 2022, the SEC introduced cybersecurity-related requirements for the protection of investors. Under the new rules, companies must inform investors and shareholders of “material incidents” within four business days of discovering a breach.

The new policies also require reporting on cybersecurity risk management and governance procedures to ensure investor accounts are held securely.

In March 2023, the SEC proposed updates to its cybersecurity rules that impose much more stringent disclosure requirements for covered entities. The new proposal requires that institutions adopt “written policies and procedures” for responding to incidents, including informing affected individuals within 30 days.

The overall message of the amendments is clear: Market entities—those entities that participate in the securities market—must have a robust security posture and incident response procedures in place moving forward, or they’ll incur penalties.

European NIS-2 Directive (“Network and Information Security, Version 2”)

The EU updated its EU-wide legislation on cybersecurity, the NIS.

The NIS-2 entered into force on January 6, 2023, and EU Member States must now transpose the EU-wide legislation into national laws.

The new version introduced more stringent supervisory measures and also streamlined reporting obligations. Under the NIS-2, companies must submit an initial notification to their relevant authority within 24 hours of becoming aware of the incident. Within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, the company needs to provide a final report detailing the attack’s scope and any mitigation efforts it has taken.

NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company’s annual revenue, whatever is higher.

State by State reporting requirements

All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.

What SMEs can do

SMEs have limited access to resources, so complying with reporting requirements in addition to tackling an ongoing threat can be a major challenge. Here are some tips on how best to deal with this:

  • Establish a clear policy and process: This is best done by creating a comprehensive Incident Response (IR) plan and making sure everyone knows his or her role during the response through IR tabletop exercises.
  • Include all categories of breaches: Not all breaches are related to PII and some might be isolated to employees only. Ensure your plan covers the different scenarios.
  • Designate key stakeholders: Long before any incident, identify individuals and organizations essential to the reporting procedure. This could be internal and external stakeholders and would likely include IT, legal, communications, and management personnel. Ensure that each stakeholder knows precisely what to do during an incident.
  • Collaborate with third parties: Some regulations require you to be aware of vendor security practices. It’s best to have these on record rather than trying to get them during the mad scramble that usually accompanies responding to an attack.
  • Partner with outsourced experts: An SME’s best choice is to team up with an IR partner on retainer. This will significantly reduce the stress of responding to an attack because it takes a massive load off the SME’s shoulders.

How SolCyber can help

SolCyber is managed security partner that acts as a single point of contact for all of an SME’s cybersecurity needs. Clients can also take advantage of SolCyber’s partnerships with Surefire (in North America) and Sicarius (in Australia and New Zealand), both specializing in incident responses.

Working with a managed security solutions provider means that SMEs can access the full gamut of cybersecurity services without paying a fortune. This significantly reduces the chances of a cyberattack attempt being successful. If an attack does succeed, SolCyber and our IR partners can provide the necessary services to mitigate the attack as fast as possible, including following all necessary reporting procedures.

Contact us today to learn how SolCyber can help you with your cybersecurity and IR needs.

Follow us on the following social platforms!

LinkedIn: https://www.linkedin.com/company/solcyber-managed-security-services/

Twitter: https://twitter.com/SolCyberMSS

Facebook: https://www.facebook.com/solcybermssp

Instagram: https://www.instagram.com/solcyber_mssp/

Avatar photo
Hwei Oh
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

The world doesn’t need another traditional MSSP or MDR or XDR.
What it requires is practicality and reason.

And security that won’t let you down. It's time to put an end to the cyber insanity once and for all.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more juggling multiple technologies and contracts.

Follow us!


Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

SolCyber. All rights reserved
Made with
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo