Security Risk Management

Breach Reporting & The Need for More Transparency

Melissa Stevens | January 31, 2014

Fact: due to inconsistent breach regulation and reporting standards, when a breach occurs, consumers and businesses can't assume that they will always be notified.  

In an article published in SC Magazine, Stephen Boyer exposes the "Fuzzy Math" around breach regulation and reporting.  He raises the call for a national standard that would define exactly what incidents need to be reported and require consistency in the type of details revealed.  The article explains that currently, each state is left to determine what is reported and when, which means in many cases, smaller incidents remain undisclosed and there is no true count of how many breaches have occurred or the number of records impacted.

target-breach-newsFurthering this call, a blog post by Oren Falkowitz points out that even in major breaches, details can be hard to come by.  He reveals that as of January 28, 2014, Target still had not disclosed the details regarding their breach to the SEC. His post goes on to question whether we would know so much about this breach if it hadn't been reported in the national media, which often is the case with smaller incidents.

Both of these articles point out that until national standards are adopted, we are left in the dark when it comes to understanding the magnitude of cyber threats and how we can defend ourselves against them.  As Stephen states in SC Magazine, consistent reporting will allow us to build more accurate risk models, which will in turn "enable risk managers, policy makers, cyber insurers and consumers to make more educated decisions on how to manage cyber risk. As cyber risk is priced into purchasing and partnership decisions, organizations will be incentivized to improve their security and become better at notifying the relevant parties of an incident or breach. Transparency and accountability will breed improved security, which will benefit all."

What are your thoughts on this issue?

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.