Continuous Reporting: An Emerging Trend in Cyber Regulations

Click here to listen to this article via the BreachRx Blogcast

It’s easy to see that data breaches are an increasingly common occurrence, with companies facing a constant threat of cyber attacks and malicious activities and major cybersecurity and privacy incidents reported in the news nearly daily. With their growing prevalence, governments around the world are enacting regulations and guidelines to ensure companies handle incidents and data breaches appropriately and protect their customers’ sensitive information. One of the most significant shifts in recent years is the move away from fixed deadlines for reporting data breaches, to continuous updates to regulators. Data breach regulations are changing rapidly in this direction, and there are significant implications for businesses globally.

Data breach regulations often included strict deadlines for reporting incidents to regulators. For example, one of the most well known is the EU’s General Data Protection Regulation (GDPR), which requires companies to report a data breach within 72 hours of becoming aware of it. Another, and lesser known, is the India CERT directive requiring companies to report most incidents within 6 hours. However, many cybersecurity regulators are realizing that this approach may not be the most effective, as a single deadline does not allow companies to fully understand the scope and impact of a breach before reporting it, nor gives them direct insight into the final outcomes. Also, according to more and more governments worldwide, these strict deadlines do not seem to be driving businesses to do more to proactively prepare for incidents effectively.

By requiring companies to provide more detailed and ongoing information to regulators, policymakers also intend to gain better awareness and depth of understanding into the nature of cyber threats, particularly those that are successfully penetrating businesses, and develop more targeted policies, technological approaches, and guidance to address them. They hope this will help reduce the overall risk of cyber attacks and protect their constituent businesses and consumers from the harm caused by these incidents. 

Regulators, instead, are shifting towards continuous reporting to address these and other shortcomings of the single deadline approach. 

The Rise of Continuous Reporting in Cyber Regulations

Continuous reporting is exactly what it sounds like: under this approach, companies are expected to provide regulators with multiple, regular updates as they investigate and address a data breach. This allows governments to better understand the scope and severity of an incident, and provide more targeted guidance and support to affected organizations. Continuous updates can also help regulators identify patterns and trends in cyber attacks, which can inform future policy decisions and guidance.

One of the most significant examples of this shift towards continuous reporting is the EU’s Network and Information Security (NIS) Directive. The Directive, which first came into effect in 2018, and the more recent NIS2 directive taking effect on January 16, 2023, requires companies in certain sectors to report cyber incidents to national authorities. The reporting requirements under NIS2 are divided into multiple stages, with companies required to provide an early warning within 24 hours of becoming aware of an incident, followed by an incident notification within 72 hours, and a final report within one month. This multi-stage approach allows regulators to capture initial information from companies more quickly and ensure they have more time to react, track, understand the impact of a breach, and decide if the incident warrants a deeper investigation or whether other organizations should be provided warning of the attack.

Similarly, the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has also emphasized the importance of continuous updates in its guidelines for incident response. While the reporting requirements for Cyber Incident Reporting for Critical Infrastructure Act of 2022 (also known as CIRCIA) are yet to be defined, the law is clearly designed to implement rules that will require companies to continue to inform CISA about their incidents repeatedly and as new information emerges. 

At the moment, CISA can only continue to recommend that companies provide regular updates to regulators throughout the incident response process, including details on the steps being taken to contain and mitigate the breach, as well as ransomware payments and any changes to the threat landscape or affected systems. Most cybersecurity experts expect continuous reporting to be codified by CISA’s rulemaking process starting no later than March 2024, reinforced by the recent publication of its Cross-Sector Cybersecurity Performance Goals (CPG) that “organizations maintain codified policy and procedures on to whom and how to report all confirmed cybersecurity incidents to appropriate external entities.”

Regulators have led the way when it comes to the contractual implications of incidents and data breaches–most contracts currently have notification requirements that were heavily influenced by GDPR’s initial rollout back in 2018. These frequently call for initial notification, ongoing auditing and reporting as needed, and in many cases access to a root cause analysis (or RCA) report. Companies up, down, and across their customer base, partners, and supply chain are dealing with more notification requirements in this vein.

Similarly, cyber insurers have also taken action to get in on the cycle of continuous reporting. The most frequent way these insurance companies are managing claim costs is by requiring pre-approval for expenses, which by design requires companies to report before they would notify others, even first. For example, requiring that when “the company first becomes aware of facts which would cause a reasonable person to assume that a Loss covered by this Policy has been or will be incurred… even though the exact amount or details of the Loss may not then be known,” the insurer creates a situation where they are being updated repeatedly during an incident. Insurers are also more often demanding rights to audit and review the activities taken in response to an incident. This gives them significant insight, and ultimately leverage, over compromised companies.

Given the position of power it puts the notified entity in over the organizations facing incidents, this trend toward continuous reporting will only expand moving forward.

Global Impact: What Continuous Reporting Means for Businesses

The shift towards continuous reporting has significant implications for businesses of all sizes. It clearly highlights the importance of being proactively prepared for incidents. Companies need to ditch the static, paper incident response plans currently considered good enough. Instead, companies need to preposition and practice so they can quickly identify and respond to cyber incidents, while also gathering and analyzing information to fully understand the scope and impact of a breach. 

In the same manner, companies must be prepared to more rapidly know which regulators and other stakeholders they will need to work closely with regulators throughout their incident response process. With over 180 relevant cybersecurity, data protection, and privacy regulations in 120 countries, and more on the way, and with the hundreds to thousands of contracts many organizations have signed, legal teams expecting to be able to address this with massed manual effort, throwing it at outside counsel, or both, is a path to business failure, not just for the emerging ongoing reporting requirements but just given the sheer expense, one cyber insurers are increasingly loath to pay claims for.

Organizations need to be ready to provide timely and accurate information to regulators, as well as engaging with customers, insurers, and other stakeholders to provide updates on the situation and steps being taken to address the breach. Failure to provide timely and transparent updates can damage a company’s reputation and erode customer trust, leading to long-term financial and reputational harm. In all cases, continuous reporting creates a situation where regulators, customers, contract parties, and insurance companies can evaluate whether they were notified appropriately, in their view, when the organization first became aware of greater liability during an incident, allowing them to take action more quickly in their favor. 

Ultimately, the shift towards continuous reporting will present challenges for many companies. The companies that choose to continue to wait and not effectively prepare, solely address compliance minimums, and rarely if ever practice, will struggle to keep up. And companies that think consultants and outside counsel can cover even an average incident for them will find they’ll need multiple firms to even have a chance to keep up and provide accurate and timely updates to regulators.This can be particularly challenging for smaller organizations with limited resources and expertise in cybersecurity. 

Continuous reporting being dictated in data breach regulations reflects a growing belief by regulators that traditional reporting deadlines aren’t effective for getting companies to address the risk from cyber incidents. The only approach here is to break the cycle of manual, largely reactive and extremely expensive approaches. Continuous reporting requires the relevant teams, including Security, Privacy, and Legal, to invest in new technologies with intelligence and embedded expertise. Organizations increasingly will need incident automation to truly achieve proactive readiness and resilience, prepositioned dynamic playbooks and guidance for navigating the complex and evolving regulatory landscape, and ongoing training, data collection, and reporting.

Companies need to adapt quickly, given two of the leading governmental bodies on cybersecurity issues have already spoken. More will soon follow.