Mandatory reporting regimes are coming to many countries in the next few years, whether businesses support the idea or not. While the details vary, these requirements are intended to increase the government’s visibility regarding the scope, scale, and intensity of malicious cyber activity in their countries. The business case for such reporting from the government’s perspective is clear; no government currently has the incident information it needs to protect its national security, economic prosperity, or public health and safety in cyberspace. For companies, however, what they get from these regimes is often unclear. But if the regulations are set up properly, businesses could reap clear benefits. Therefore, the business community must take this opportunity to shape these reporting regimes into a structure that will not only benefit governments and society, but individual businesses at the same time.
Over the past few years, many countries, including the United States, Australia, and India, have imposed mandatory cyber incident reporting requirements. The European Union recently expanded its mandatory reporting requirements through its Network and Information Security Directive 2.0. While the broad requirements are in place in the U.S. and the EU, the specific regulations and guidance to operationalize these laws are still being developed. In the U.S., the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is drafting the regulations necessary to bring the law into effect; that process will run through mid-2025. Under the EU directive process, each member state has to adopt laws to implement it, and, in this case, they have until October 2024 to do so. Other countries are considering similar laws.
While the details vary, these requirements are intended to increase the government’s visibility regarding the scope, scale, and intensity of malicious cyber activity in their countries. From the government’s perspective, the business case for such reporting is clear: No government currently has the incident information it needs to protect its national security, economic prosperity, or public health and safety in cyberspace. However, what companies get from these regimes is often unclear. In fact, many businesses are worried about the potential burden or other downsides that might come from reporting a cyber incident.
These concerns have merit. Questions about liability or regulatory penalties loom large in discussions about reporting cyber incidents. Most businesses are naturally skeptical of government mandates, especially in terms of how they will apply when an organization is in a bad situation. However, just as with physical crimes, increased cyber incident reporting can also help businesses.
The Pros of Mandatory Incident Reporting for Businesses
The most obvious benefit from a reporting regime is direct assistance with incident response. Governments can’t assist companies if they don’t know about an incident. Despite popular perception, even the U.S. government has little insight into incidents affecting most private-sector companies. Thus, reporting regimes will create opportunities for governments to assist companies directly, such as technical and economic support that would bolster a company’s response to a cyber incident. Not all companies will need or want government assistance, but many companies would welcome technical or financial assistance during a crisis.
Since mandatory reporting regimes will increase both the volume and the timeliness of incident reporting, governments will have an increased ability to warn businesses about emerging threats or potential problems before they occur. Intelligence agencies use the term “indications and warning” for this activity, and it enables recipients to take preparatory actions before something bad happens. Warning similarly situated entities about specific threats that could reasonably imminently affect them could help those companies stop the threat before it becomes an incident. It could provide the justification needed for a company to invest resources to fix longstanding weaknesses or prioritize upgrades. Further, more targeted, timely warnings will have greater credibility and salience with company leaders.
Currently, understanding the impact of and harm from malicious cyber activity is challenging due to incomplete and spotty data. The reporting regimes will ask businesses to report the damages and harms they have suffered due to the cyber incident, including lost revenue, ransom payments, intellectual property theft, or personally identifiable information compromised. By aggregating this type of data over time, governments will be able to better quantify the impact of malicious cyber activity. This data will support a wide variety of assessments, from cost-benefit analysis at the individual firm level to risk-benefit decisions at the national level. It can help inform the insurance market and refine prioritization efforts to produce better outcomes.
Governments could also use reported data to develop a better understanding of the threat and detect trends or changes in the environment. At present, we lack a good baseline rate for cyber incidents across the ecosystem. For example, whether the number of ransomware incidents increased or decreased in 2022 compared to 2021 depends on the entity writing the report. Unlike many other crime or economic statistics, we have no source of ground truth. Mandatory incident reporting will generate statistically significant trend information that can better inform policy decisions. The resulting data will help measure whether policies are having the intended effect or illuminate how the trends in malicious cyber activity are evolving. Businesses can also use this data to make risk-informed decisions or long-term investments, just like they use other government data sources.
The Cost of Mandatory Incident Reporting for Businesses
Reporting rates under existing voluntary regimes are typically very low. For example, the U.S. Federal Bureau of Investigation estimates that fewer than 20% of the victims of the Hive ransomware gang reported the attack to the U.S. government. Clearly, businesses see multiple downsides to reporting incidents, or they would do so more frequently. These concerns usually revolve around potential regulatory or legal action, brand or reputation damage, or litigation, as well as lack of perceived benefit to reporting.
Of course, mandatory requirements render many concerns moot, because businesses won’t have a choice. Interestingly, however, many reporting statutes try to mitigate some of these concerns. For example, in the U.S., the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) specifically prohibits regulatory agencies from using information reported under the statute as a basis for a regulatory action. While the regulator could still initiate an investigation under their own auspices, the act of reporting under CIRCIA can’t trigger such action. Statutes also typically address concerns about brand and reputation effects from a cyber incident by requiring the receiving agency to protect the reported information from disclosure. Thus, these regimes do not require public disclosure, like breach notifications; the disclosure is only to certain government agencies. While an incident might still become public due to an impact on a company’s business operations, such a disclosure will not be due to reporting under these statutes. (In the U.S., the Securities and Exchange Commission has also proposed a rule that would require publicly traded companies to disclose cyber incidents publicly, but that proposed rule has received significant pushback. That kind of disclosure would serve a different purpose than the reporting regimes discussed in this article.)
Despite these mitigations, reporting regimes will impose real costs on businesses. Reporting incidents takes effort. Someone at the company has to take the time to write the report and figure out who to send it to. The company must then deal with whatever questions the receiving agency has. If the organization is in the middle of a cyber incident that meets the reporting criteria, then, by definition, the organization is in extremis. Taking time out for reporting inevitably takes time away from responding to the crisis.
Organizations could also face multiple reporting requirements from different government agencies or be subject to reporting regimes in different countries. A lack of harmonization could make it extremely difficult to comply in an efficient and timely manner; in fact, in some cases, a conflict of laws might make it impossible for a company to comply with both. If governments fail to harmonize their reporting requirements among agencies or between jurisdictions, then they could end up imposing significant costs on businesses and — in the most extreme cases — create more harm than benefits.
Designing the Right Framework for Mandatory Cyber Incident Reporting
On balance, while businesses have legitimate concerns about mandatory incident reporting, the benefits can outweigh the downsides. The opportunity to receive direct assistance and targeted warning, coupled with the ability to make better informed decisions at the individual, organizational, and societal level, can make the additional costs imposed by mandatory reporting regimes worth it — if those regimes are designed correctly.
Therefore, the business community should engage with governments as they develop these reporting regimes to ensure that they will accomplish their intended goals. Businesses can engage in the rule-making process to provide their input. They can work with advocacy groups to make their views and concerns known. The business community should demand that governments work together to harmonize reporting requirements across jurisdictions. It should ask governments to adhere to certain principles when developing these regimes, such as making reporting systems as easy to use as possible, or allowing for updated reports once the incident is better understood. In order to provide a starting point for these discussions, the Cyber Threat Alliance, the Institute for Security and Technology, and six other organizations recently published a framework for developing such frameworks effectively. The global version of the Cyber Incident Reporting Framework can be found here.
Mandatory reporting regimes are coming to most jurisdictions in the next few years, whether businesses support the idea or not. If such regimes are set up properly, then businesses could reap clear benefits. Achieving this state is not a foregone conclusion of course; governments could theoretically implement reporting requirements that cause more harm than good, or create so many conflicting reporting regimes that businesses physically can’t comply with them all. Therefore, the business community must take this opportunity to shape these reporting regimes into a structure that will not only benefit governments and society, but individual businesses at the same time.