Home

The tangled web of cybersecurity incident reporting guidelines

David Weldon David Weldon
August 15, 2025
Reporting cybersecurity incidents involves wading through complex and often conflicting guidelines
(Credits: insta_photos/Shutterstock)

As the frequency, and intensity, of cyberattacks continues to grow, a number of agencies are taking steps to tighten up guidelines around incident reporting. Taken as a whole, the various sets of guideline changes are intended to promote stronger defensive measures, increase accountability around data breaches, and warn customers and investors of potential harm in a more-timely manner.

While IT security experts generally applaud the intention of these measures, many acknowledge there are some discrepancies between various sets of guidelines. The discrepancies have caused confusion among some IT security pros at the organizational level, and occasionally some pushback at an association level.

For example, recent testimony before Congress on “Enhancing Cybersecurity by Eliminating Inconsistent RegulationsOpens a new window ” included discussion on the fact that there are now at least eight different sets of cybersecurity incident regulations that impact financial services firms. As an organization attempts to comply with one set, they may be in non-compliance with another.

Over the past several months, several groups and associations have asked that recent changes to cybersecurity incident reporting guidelines be revisited, or better yet, combined into a single set of recommended best practices for all organizations, no matter the industry.

Confusion and angst over recent incident reporting guideline changes

Among the loudest complaints with recent guideline changes are concern about the short reporting window allowed for reporting an incident; the mandate on who must be informed; and what must be revealed in a report.

For example, one criticism of short-term reporting requirements is that organizations must publicly disclose their vulnerability to attack while they’re still investigating it. The concern is that the revelation immediately increases subsequent vulnerability – in effect putting a target on an organization’s back and announcing, “Hey, I have been attacked. The attack was successful. I am vulnerable. Why not test me again?”

On the other hand, those supporting recent changes argue that customers and investors deserve to know immediately when an organization – and potentially their data – has been compromised. After all, many firms have historically been quite lax at reporting such events in a timely manner over fears of what that could do to their brand.

“This is a valid concern, however there is sufficient flexibility in the regulations to find the right balance between appropriate disclosure and too much information about an ongoing incident,” says Fayyaz Makhani, global security architect at VikingCloudOpens a new window , a cyber defense and compliance provider.

To better understand concern over contradiction in guidelines, here are the highlights of recent significant cybersecurity incident reporting requirement changes or proposals:

The Securities and Exchange Commission (SEC) guidelines

On May 16, 2025, the SEC adopted a final rule to its Regulation S-P, which established new cybersecurity incident and data breach notification guidelines. This passage came on the heels of a broad set of updated guidelines in 2023Opens a new window .

The sticking point for some: “The December 2023 implementation of the SEC’s Public Company Cyber Disclosure RuleOpens a new window , mandates that public companies disclose material cybersecurity incidents within four business days of determining materiality,” explains Aaron Pinnick, director of thought leadership at the ACA InternationalOpens a new window .

The key word here is “material.” It refers to the likelihood or possibility that customers or investors have had their data compromised and been harmed as a result.

As noted by Christian Auty, partner and U.S. data and security lead at New York law firm Bryan Cave Leighton PaisnerOpens a new window (BCLP), an organization may not yet know much about a breach it has suffered in that short time frame. It may not even know if the threat is still ongoing.

Dismissing that concern, Makhani says “The SEC’s decision to require companies to disclose material cybersecurity incidents within four business days appears prudent. This proactive approach enhances risk management and fosters confidence in the market.”

The Cybersecurity and Infrastructure Security Agency (CISA) guidelines

The Cybersecurity and Infrastructure Security Agency is poised this fall to change the incident reporting requirement to be within 72 hours of an event. The CISA coordinates threat intelligence and information sharing among critical infrastructures.

Not so fast, say The American Bankers Assoc. (ABA), the Bank Policy Institute (BPI), the Institute of International Bankers (IIB) and the Securities Industry and Financial Markets Association (SIFMA). In a joint letterOpens a new window , the four groups raised concerns that the 72-hour plan “risks straining the U.S. financial system’s cyber defenses,” and that “CISA is moving forward with another requirement that prioritizes routine government reporting over the security needs of firms.”

Critics of current guidelines raise concerns over their scope and the potential for over-reporting. U.S. Senator Gary PetersOpens a new window (D-MI) has argued that the broad scope of proposed rules could encompass a large number of entities not traditionally viewed as critical infrastructure, leading to a potential for excessive reporting of incidents with limited impact on national security.

But again, the proposal has its supporters.Whether 72 hours is a reasonable, doable, or desirable timeframe, will depend largely on organizational capacity and capability,” Makhani says. “Those organizations that have leadership, robust processes, and sufficient training will be able to address the incident in the timeframe. Moreover, this push by CISA may encourage more organizations to build capacity.”

The National Institute of Standards and Technology (NIST) guidelines

NIST provides guidelines and frameworks for cybersecurity incident reporting that emphasizes the importance of a robust incident report plan. The agency requires organizations to clearly define cybersecurity roles and responsibilities, communication methods, step-by-step procedures for various types of incidents, contact information for all internal and external stakeholders, and again, a 72-hour required reporting window.

Another concern is with potential redundancy and burden on individual companies. For example, with over 50 existing federal breach reporting rules, adding more requirements could create a fragmented and complex regulatory landscape, increasing compliance burdens without a clear improvement in cybersecurity outcomes.

The General Data Protection Regulation (GDPR) guidelines

The General Data Protection Regulation is a European Union lawOpens a new window focused on protecting the personal data of individuals within the EU and EEA. GDPR aims to give individuals more control over their data, and to standardize data protection laws across the EU.

The GDPR has many incident reporting requirements similar to what the SEC has proposed, and as many critics of them. GDPR has a 72-hour reporting mandate, and the clock starts as soon as an organization becomes aware of a breach. The challenge for many organizations is that all individuals and corporations impacted by the breach must be immediately notified, along with the likely consequences of the breach.

As Auty noted, it may be very difficult for an organization to determine all of that within the required reporting timeframe.

Steps to improve guidelines while satisfying critics

In light of some of this pushback, these and other related agencies have several options in how to respond, says Erik Gerding, a partner at global law firm FreshfieldsOpens a new window . They include abolishing the cyber-incident report requirement; dialing back the information that must be disclosed; or changing the timing of the incident disclosure from three or four business days after a materiality determination to disclosure in a public company’s quarterly or annual report.

“Having rulemaking be driven by data is always important,” Herding says. “But agencies face a challenge in that, in the absence of disclosure or reporting, data on cyber incidents is very, very hard to come by.  So there is an egg-and-chicken problem.”

Pinnick offers the following advice to the various agencies on how to improve reporting guidelines overall, and head toward a single set of regulations:

  • Provide additional guidance on materiality – On the SEC guidelines in particular, the agency should issue more detailed guidance and examples around incident materiality, especially as it relates to incidents that involve multiple non-material events, Pinnick says.
  • Identify the most useful information – As regulators at each agency evaluate the information they receive from companies reporting incidents, they should evaluate what information is actually useful for investors and the public, Pinnick says. This may require companies to provide more information than currently required, or it may allow firms to avoid providing information that isn’t helpful. Regardless, the SEC and other regulatory bodies should periodically assess and update the information that firms are required to provide to ensure it focuses on what the public needs to know.
  • Harmonized reporting – As cybersecurity regulations continue to grow and expand – in the USA as well as internationally – firms face different reporting timelines for incidents, with different reporting requirements, Pinnick explains. While this is understandable, it places additional burdens on firms to manage multiple regulatory reporting flows during a short and critical period of the firm’s incident response. Instead of focusing on responding to the incident, companies may lose time and focus shifting their attention to regulatory reporting.

Ideally, the SEC, CISA, and other regulatory bodies would work together to establish consistency in reporting requirements, timelines, and formats, Pinnick says.

Finally, Gerding poses the following questions that would remain for policy makers if these rules were to change or even vanish: “What kind of information would be necessary for coordinating public and private responses to cyber threats? And what information do investors want and need to understand the risks to the companies they invest in?”

 

 

 

David Weldon
David Weldon

David is a freelance editor, writer and research analyst from the Boston area. He has worked in a full-time senior editorial capacity at several leading media companies, covering topics related to information technology and business management. As a freelancer, he has contributed to over 100 publications and web sites, writing white papers, research reports, online courses, feature articles, executive profiles and columns. His special areas of concentration are in technology, data management and analytics, management practices, workforce and workplace trends, benefits and compensation, education, and healthcare. Contact him at [email protected]
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.

Recommended Reads

AI cyberattacks: How hackers used AI to automate espionage
Security

AI cyberattacks: How hackers used AI to automate espionage

When disaster recovery plans fail in real disasters
Security

When disaster recovery plans fail in real disasters

How to balance privacy and security with the need for speed
Security

How to balance privacy and security with the need for speed

Quantum computers will crack your encryption. Now what?
Security

Quantum computers will crack your encryption. Now what?

How to tackle AI sprawl
Software

How to tackle AI sprawl

Ready, fire, aim: Corporate AI strategy ignores the risks
Security

Ready, fire, aim: Corporate AI strategy ignores the risks