[BreachExchange] Consequences of the Late Announcement of Cyber-security Incidents

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 20 09:52:27 EST 2018



Cyber-security attacks that are becoming more and more common among various
types and sizes of organizations may have serious effects on electronic
communication networks, provision of services, and national security.
Although significant breaches that affect many users or extensively disrupt
the functioning of an organization usually receive extensive media
coverage, smaller security incidents may remain unreported to the public.
This can occur because of several reasons. For example, the affected
organization may become aware of the incident later, it considers the
incident insignificant (e.g., no personal data has been accessed), the
local law does not impose requirements on reporting cyber-attacks, or,
after conducting balancing tests, the reporting of the incident will cause
substantial damages. Nevertheless, in practice, late announcement of
cyber-security incidents may be beneficial only in a small number of very
specific and selective cases. In most cases, late announcement of incidents
may cause significant reputational harm and possible legal liabilities.

Legal requirements

It is important to note that the laws of some jurisdictions impose short
time frames and strict procedures for reporting computer security
incidents, especially those entailing personal data breaches. For example,
the new soon-to-come EU data protection law (GDPR) stipulates that, if a
security incident that includes a personal data breach may result in a risk
to the rights and freedoms of natural persons, it should be reported to the
national supervisory authority within 72 hours after the organization
becomes aware of it. In the US, the reporting timeframe depends on the type
of the cyber-attack experienced by an entity. The US Computer Readiness
Emergency Team should be notified about reportable incidents within an hour
or two after the discovery of such an incident. In addition, there are
voluntary incident reporting schemes and requirements imposed by
industry-specific regulators. For example, in summer 2017, the European
Central Bank (ECB) imposed new mandatory tailored cyber incident reporting
requirements that do not stem from legislation on more than 100 banks.

Incident response plan

Implementation of organization’s incident response plan and incident
reporting timeframes depend on various aspects of the cyber incident, such
as the type of the organization that has experienced the attack, the data
and/or systems that have been accessed, as well as the severity, scope and
the type of the attack. In addition to national agencies that should be
contacted in case of an incident for receiving assistance in coordinating
the incident, it is a good industry practice of an organization to report
incidents to their clients and the public in general. Such an external
communication strategy, which usually includes informing clients by e-mail
and preparing press releases, accompanies internal communication during the
mitigation of the incident.

Failure to report timely

Due to the fear of possible adverse effects of security events or belated
information about such events, some organizations fail to announce the
experienced attack promptly. By way of illustration, in late November 2017,
Uber notified its users worldwide about the massive incident that had
occurred in 2016, a year before the actual announcement date. During the
attack, hackers accessed personal data of 57 million Uber users, including
their driver license numbers, names, and phone numbers. The breach was
facilitated by accessing third-party cloud storage used by Uber’s systems.
Nevertheless, to avoid the reputational impact of this large-scale event,
Uber did not notify its users and law enforcement bodies. Instead, the
company paid USD 100.000 to the hackers asking to destroy the obtained
personal data.

Intentional or unintentional late public disclosure practices may have
benefits and drawbacks that are further discussed below. We do not consider
the legal liabilities for not complying with timely reporting requirements
as they may differ depending on the jurisdiction in which the affected
organization is operating.

A benefit of late announcement

The main benefit that can stem from a delayed public reporting is a
possibility to mitigate the associated reputational harm and mitigate the
damages related to it. The organization may “postpone” the immediate
negative reputational effect of the incident and rely on the possibility
that, in a perspective of time, the incident would be less severe. The
effect of such a measure can be twofold. The difference in a psychological
perception of the incident that has just occurred and the incident that
happened a long time ago may make such an action plan effective. However,
it is of utmost importance to note that such a move may also have a
reverse effect. The organization may be a negligent undertaking that does
not respect its clients, partners, reputation, and honest industry

Other situations in which organizations may choose to announce the cyber
incident later are those particular cases when an immediate reporting could
cause physical harm to persons, organizations, environment, or affect the
confidentiality, integrity, and availability of other secured data.

Drawbacks of late announcement

The drawbacks related to the late announcement of cyber-security incidents
include the following:

- Preventing the rise of awareness about the incident. The targeted
organization may not be the only victim of the attack as more entities can
be affected by it. By not discussing the incident publicly, the affected
organization cannot share and receive helpful information (e.g.,
information about perpetrator’s tactic, a timeline of events, and effective
mitigation techniques) that can help to avoid the incident in the future.
- Preventing victims from taking remedial action immediately. By failing to
inform the affected parties about the incident, the organization will
prevent the victims from taking actions immediately and employing
preventive measures for possible future incidents.
- Losing the chance to test incident response plans and practice external
communication strategies. Although an incident response plan drafted and
maintained by an organization may be foolproof, its strengths and flaws can
only be seen in practice. Thus, by applying an incident response plan in a
real-time environment, an organization can assess the effectiveness of its
cyber-security strategies.


To conclude, external and internal communication strategies are essential
elements of an effective incident response plan. They regulate not only
mitigation of incidents within the organization, but also assist in
limiting the reputational harm that follows them. It is important to stress
that a well-structured, professional, and detailed announcement of a
security incident may mitigate the adverse effects the event, share good
practices, and keep transparent and reliable relationships with
organization’s partners. Finally, a timely public dialogue about the
incident may evolve into a broader discussion about the core of the problem
and help to find a solution.

Late announcement of cyber-security incidents can rarely be justified or
beneficial. Usually, the failure to announce an incident promptly will
discredit the compromised organization and raise legal liabilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180220/a516eaba/attachment.html>

More information about the BreachExchange mailing list