When to Report a Cyberattack? For Companies, That’s Still a Dilemma<br />Yet, the S. E.C.’s new guidance doesn’t confront the practical quandary facing public companies<br />victimized by a cyberattack: Going public with news of a cyberattack isn’t always an easy call.<br />While the guidance acknowledges that it will often take time to “discern the implications” of a breach and<br />that it “may be necessary to cooperate” with law enforcement, it concludes that an active investigation would not “on its own” be a reason to avoid disclosure of a material cybersecurity incident.<br />It has been seven years since the Securities and Exchange Commission first advised public<br />companies to tell investors if they had suffered a cyberattack deemed to be material.<br />This tension between the need for discreet cooperation with law enforcement<br />and the obligation to inform investors and the markets creates a dilemma for public companies.<br />issued its initial cyber guidance, only 106 companies have reported incidents to the S. E.C.<br />While a proportion of those were private companies, it’s unlikely that public companies suffered only 106 breaches that were material in that time<br />Law enforcement often encourages, or even demands, that the incident not be disclosed.<br />Again, it warned public companies to make “timely” disclosure, recognizing the “grave threat”<br />that cybercrime poses to investors and the capital markets.<br />Perhaps this dilemma explains why so few public companies report breaches.
