“As a consultant, I’ve heard of many CISOs being asked not to share details of an incident, or not to share that an incident had occurred,” Marlatt said. “With the increase in ransomware events and the need to bring in external parties for digital forensics and incident response or to submit insurance claims, it’s becoming much more difficult to hide these impactful incidents.”
Silence isn’t golden
Caroline Morgan, partner at CM Law, acknowledged that “internal company pressure to stay silent is real,” while warning that regulators not only expect but require disclosure of security incidents.
“Legally, by staying silent a business is likely only aggravating its problems, not escaping them,” Morgan said. “The price to pay can be devastating because now it is not just the breach it is also the cover-up.”
