Most organizations responding to a recent Economist Intelligence Unit survey admit they do not voluntarily report cyber incidents if they aren’t legally required to do so.
The survey, sponsored by Arbor Networks, of 360 senior business leaders revealed 57 percent of respondents said they only report data breaches—intentional or unintentional, electronic or physical—if they are required by law. Another 27 percent are undecided.
More than three-quarters of organizations surveyed have suffered a data breach in the last two years, they said.
Reporting a breach exposing personally identifiable information is law in many countries but going public with other kinds of cyber incidents is not mandatory.
Furthermore, 47 percent of respondents—mostly C-level management or board members—said legislation requiring that all data breaches be made public would do more harm than good. Twenty-two percent disagree, while 29 percent are undecided.
In the US, public companies are required by the Securities and Exchange Commission to disclose all material events, including data breaches.
“While declaring a breach can cause damage to a business in the short term, it can be more damaging if it is later revealed in the press that there was an incident but the organization decided not to report it,” wrote the report’s author, Clint Witchalls.
Thirty-five percent of the firms surveyed said they shared information about incidents with industry peers while 32 percent do not though two-thirds of executives said responding effectively to an incident can actually enhance a company’s reputation.
“Sharing information is one of the strengths of information security in the higher education industry, and we use multiple methods to share information and collaborate,” said Brad Judy, director of university information systems security at the University of Colorado, who was interviewed for the report.
Interestingly, 46 percent of executives say their company was alerted of its latest incident by routine checks or controls. The same amount said they were notified by an employee who had forwarded a phishing email or had lost a device, for example.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
