Search GSSD

When to Report a Cyberattack? For Companies, That's Still a Dilemma

Dealing with a cyberattack is often very difficult technically. Dealing with the aftermath from a social perspective can also be very difficult. After a cyber-breach a variety of people need to be notified. Firstly, if consumers have been affected they should be notified because their data is the thing that has been compromised. Next, Law enforcement officials also need to be notified so they can try and implicate the attacker. Finally, investors and the board of directors need to be notified. However, with the heightened restrictions on publicity it is not always simple to alert these parties. Often, police will instruct companies that have been breached not to alert anyone about the breach while the investigation is progressing. This leaves public companies in a difficult position because they may need to alert investors as well as keep the information confidential while the investigation proceeds. The Securities and Exchange Commission (SEC) has issued guidance on the topic but the guidance is vague and does not address the real issue of reporting. The SEC’s report only says that an active investigation on its own should not be the only reason to avoid disclosing information to investors. This dilemma may explain why so few cyber-attacks are reported in comparison to the number of attacks that are often executed. Companies have an obligation to alert all those affected by a cyber breach as soon as possible. The SEC should work with the Federal Bureau of investigation (FBI) to create a comprehensive framework that companies can follow in the wake of a cyberattack. This article also demonstrates that government regulations are still severely lacking in several domains of cybersecurity such as the recovery domain.
Craig A. Newman
New York Times
Input By: 
Cody Durr
MIT Undergraduate
Industry Focus: 
Information & Telecommunication
Internet & Cyberspace
Bibliographies & Reports