Governments at all levels are poised to tighten rules on disclosures of cybersecurity incidents and have penalized some companies for unacceptable data protection.
Proposed SEC rules could be finalized in Q1, which would require companies to publicly reveal when they are victimized by cyberattacks. Rulemaking is also proceeding for the critical infrastructure protection law that would require companies to report cyber incidents and ransom payments to the federal government.
Although some public disclosure protections may be included, these changes would upend the status quo, in which companies have some discretion about whether to report incidents to the FBI and other federal agencies – and whether they become public.
New York’s Department of Financial Services is also weighing new reporting requirements for companies designated as “Class A.” The new steps further complicate companies’ communications options by adding to the rising tide of current required disclosure regimes like the Health and Human Services database of health-related breaches and several state attorneys general who list incidents on their websites.
Collectively, these measures will dramatically reshape the way companies communicate following an incident, as the “say-nothing” approach becomes more obsolete. To prepare, smart companies should:
- Prepare specialty cyber incident communications plans
- Integrate those into broader crisis response and continuity of operations training, and
- Command the narrative on their own terms before hackers or required government disclosures spark damaging media coverage and reputational exposure.