Try our pricing calculator and see how much you'll save!

How to Manage Breach Reporting as Part of an IR Strategy

July 9, 2023
 - Created by 
Hwei Oh
Share this post:

In December 2022, FBI Supervisory Special Agent Michael Sohn cautioned small businesses that they were being targeted by cybercriminals. While larger corporations are investing more in hardening their security posture, the relative weakness of smaller businesses makes them prime targets for hackers.

However, no matter how much cybersecurity a company has in place, no one can guarantee that its network will never be breached. That’s why a comprehensive risk strategy for cybersecurity includes cyber insurance and incident response to mitigate any residual risk.

Being prepared with a well-defined Incident Response (IR) plan can drastically reduce the corresponding business impact. This includes how to communicate news of the breach to affected customers. Not only does that improve trust, it's also mandated in many jurisdictions.

In March 2022, President Biden enacted the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This mandated that "covered entities” would soon be required to disclose breaches and ransomware payments. "Covered entities" are defined as a business in one of the 16 critical infrastructure sectors, such as chemicals, dams, financial services, and emergency services.

Many other jurisdictions, both inside and outside the USA, also have reporting requirements in place. Companies that fail to report within a certain time period often face hefty fines.

In this article, we're going to delve into the best practices to use when reporting a breach so you can minimize reputational damage, stay in compliance, and foster a culture of trust and transparency with your customers.

Why breach reporting is important

Breach reporting is critical to any comprehensive cybersecurity strategy, serving both tactical and regulatory purposes.

Tactical importance

Disclosing a breach helps in the following ways:

  • It mobilizes affected parties.
  • It accelerates remediation.
  • It maintains customer trust.

Mobilizing affected parties

Breach reporting includes letting internal parties know if they were impacted or are part of the incident response strategy. These in-house stakeholders can then take appropriate action via prompt and clear communication.  Such actions would include mobilizing teams like IT which can get started immediately by conducting forensic analysis and isolating affected systems. Management can prioritize resources. HR can prepare communications for employees that instruct them on appropriate security measures and responses to customers. Legal and compliance teams can start preparing for regulatory reporting requirements.

External stakeholders that need to be notified would include customers and third-party vendors. Additionally, information regarding the incident needs to be prepared in case regulators or any other government body decides to inquire about the attack. By reporting the breach's details to them concisely and accurately, the affected parties can take measures to secure their accounts and minimize further potential damage.

Accelerating remediation

Reporting the breach's details can accelerate bringing in the expertise needed to identify the incident’s scope and resolve it. Sometimes, feedback might also be necessary from third parties or even customers to help identify the full range of the attack.

With increased knowledge of the breach's details, the IT team can take the appropriate measures more rapidly, potentially bringing in outsourced IR teams and significantly accelerating the investigation.

Maintaining customer trust

A swift disclosure of any breach can actually increase customer trust. Communications aimed at customers should be factual and as accurate as possible. Failing to transparently disclose the breach could lead to reputation damage, which itself can increase financial losses. A global study by Deloitte found that security is one of the top three drivers of reputational risk for a company. The study also found that 41% of respondents reported revenue suffered the largest impact due to reputational risk.

Open transparent communication with customers is essential to minimize reputational risk.

Regulatory/compliance reasons

The other reason breach reporting is important is regulatory. Failure to comply with the respective privacy and data protection regulations can result in hefty fines and further reputational damage.

Notification deadlines and disclosure requirements

Several jurisdictions have reporting deadlines after a breach is discovered. They also have different requirements for reporting a breach.

The following is not legal advice, and it's important to consult with your legal counsel to verify the requirements of your jurisdiction. Here are some common requirements in force at the time of this writing.

European GDPR

Under the GDPR, companies must report breaches to their respective authority within 72 hours "where feasible." The only exception is if the breach does not "result in a risk to the rights and freedoms of natural persons."

If a company delays in reporting the breach, it needs to provide reasons for the delay.

The GDPR enforces some of the heaviest fines in the world for non-compliance. Depending on the articles violated, GDPR fines can be either:

  • €10 million ($11 million) or 2% of annual turnover, whichever is higher
  • €20 million ($22 million) or 4% of annual turnover, whichever is higher

When determining the penalty, the regulator must consider all circumstances, such as the level of negligence and the gravity of the breach.

California Consumer Privacy Act (CCPA)

Under the CCPA, it's only necessary to report a breach of unencrypted data, or if there's reason to believe that the hacker had access to the encryption keys. Like the GDPR, a company must report data breaches within 72 hours. It must also notify the California Attorney General if the breach affected more than 500 California residents.

CCPA breaches can lead to penalties as small as $100 or as high as $7,500 per incident.

New York SHIELD Act ("Stop Hacks and Improve Electronic Data Security")

The NY SHIELD Act doesn't specify a timeframe for reporting a breach, but the "NYS Information Security Breach and Notification Act" says, "The disclosure must be made in the most expedient time possible and without unreasonable delay upon determination of a data breach." The same act also says that companies are allowed to delay reporting if law enforcement believes it will impede a criminal investigation.

If the breach impacts more than 500 New York residents, businesses must notify the New York State Attorney General within 10 days of becoming aware of the breach.

Violations of the NY SHIELD Act can lead to civil penalties of $5,000 per violation.

Securities and Exchange Commission (SEC) requirements[1] 

In 2022, the SEC introduced cybersecurity-related requirements for the protection of investors. Under the new rules, companies must inform investors and shareholders of "material incidents" within four business days of discovering a breach.

The new policies also require reporting on cybersecurity risk management and governance procedures to ensure investor accounts are held securely.

In March 2023, the SEC proposed updates to its cybersecurity rules that impose much more stringent disclosure requirements for covered entities. The new proposal requires that institutions adopt "written policies and procedures" for responding to incidents, including informing affected individuals within 30 days.

The overall message of the amendments is clear: Market entities—those entities that participate in the securities market—must have a robust security posture and incident response procedures in place moving forward, or they'll incur penalties.

European NIS-2 Directive ("Network and Information Security, Version 2")

The EU updated its EU-wide legislation on cybersecurity, the NIS.

The NIS-2 entered into force on January 6, 2023, and EU Member States must now transpose the EU-wide legislation into national laws.

The new version introduced more stringent supervisory measures and also streamlined reporting obligations. Under the NIS-2, companies must submit an initial notification to their relevant authority within 24 hours of becoming aware of the incident. Within 72 hours, the company must provide an initial breach assessment. Within one month of the attack, the company needs to provide a final report detailing the attack's scope and any mitigation efforts it has taken.

NIS-2 fines can be as high as €10 million ($11 million) or 2% of the company's annual revenue, whatever is higher.

State by State reporting requirements

All 50 US states have laws relating to reporting requirements for data breaches. Puerto Rico, Guam, the District of Columbia, and the Virgin Islands also have reporting and notification requirements in place. It would be impossible to cover all of these here, but the NCSL (National Conference of State Legislatures) maintains a list of the latest bills and acts on its website.

What SMEs can do

SMEs have limited access to resources, so complying with reporting requirements in addition to tackling an ongoing threat can be a major challenge. Here are some tips on how best to deal with this:

  • Establish a clear policy and process: This is best done by creating a comprehensive Incident Response (IR) plan and making sure everyone knows his or her role during the response through IR tabletop exercises.
  • Include all categories of breaches: Not all breaches are related to PII and some might be isolated to employees only. Ensure your plan covers the different scenarios.
  • Designate key stakeholders: Long before any incident, identify individuals and organizations essential to the reporting procedure. This could be internal and external stakeholders and would likely include IT, legal, communications, and management personnel. Ensure that each stakeholder knows precisely what to do during an incident.
  • Collaborate with third parties: Some regulations require you to be aware of vendor security practices. It's best to have these on record rather than trying to get them during the mad scramble that usually accompanies responding to an attack.
  • Partner with outsourced experts: An SME's best choice is to team up with an IR partner on retainer. This will significantly reduce the stress of responding to an attack because it takes a massive load off the SME's shoulders.

How SolCyber can help

SolCyber is managed security partner that acts as a single point of contact for all of an SME's cybersecurity needs. Clients can also take advantage of SolCyber’s partnerships with Surefire (in North America) and Sicarius (in Australia and New Zealand), both specializing in incident responses.

Working with a managed security solutions provider means that SMEs can access the full gamut of cybersecurity services without paying a fortune. This significantly reduces the chances of a cyberattack attempt being successful. If an attack does succeed, SolCyber and our IR partners can provide the necessary services to mitigate the attack as fast as possible, including following all necessary reporting procedures.

Contact us today to learn how SolCyber can help you with your cybersecurity and IR needs.

Follow us on the following social platforms!





Subscribe to our blog!

To receive the latest articles from our team, provide us with your email address.

Related Posts

Best Practices for Managed Security Implementation

Even the best-managed security programs can fall short […]

Hwei Oh Hwei Oh
Find out more
Selecting the Best Managed Security Provider

The escalating complexity of business IT environments, coupled […]

Hwei Oh Hwei Oh
Find out more
Prioritizing Cybersecurity in Manufacturing

Cybersecurity in the manufacturing industry is not a […]

Hwei Oh Hwei Oh
Find out more

Subscribe to our blog!

To receive the latest articles from our team, provide us with your email address.
© 2023 SolCyber. All rights reserved | Made with   by Jason Pittock
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram