Some CISOs, under immense pressure, choose to stay silent. Unfortunately, this decision can have severe consequences—not just for the organization, but also for the CISO personally.
The Temptation to Stay Silent
There are many reasons why a CISO might hesitate to report a breach to the authorities:
· Fear of damaging the company’s reputation
· Pressure from executives who want to "handle it internally"
· Uncertainty about whether the breach qualifies as reportable
· A belief that fixing the issue quickly will negate any legal obligations
While these concerns are understandable, withholding breach information is a high-risk move that can backfire spectacularly.
Legal Consequences: What the Law Says
In the EU, the NIS2 Directive and GDPR have strict guidelines for breach reporting. GDPR, for instance, requires organizations to report a breach to the relevant authorities within 72 hours if personal data is involved. Failure to do so can lead to massive fines—up to €20 million or 4% of global annual turnover.
For CISOs, the stakes are personal. Recent cases, like the Uber CISO’s conviction in the U.S., show that authorities are willing to hold security leaders accountable for covering up breaches. With NIS2 strengthening regulations across the EU, this level of personal liability is becoming a reality for more CISOs.
Real-World Examples: CISOs Who Paid the Price
Joe Sullivan (Uber) – The former Uber CISO was convicted for failing to disclose a 2016 data breach that exposed the data of 57 million users. Instead of reporting it, Uber paid hackers $100,000 to keep quiet. Sullivan was found guilty of obstruction and misprision of a felony, making him one of the first CISOs to face criminal charges.
Equifax Breach (2017) – Equifax’s failure to disclose a massive breach affecting 147 million people led to a $700 million settlement with regulators. While the CISO did not face criminal charges, the company’s handling of the incident resulted in immense reputational damage.
Yahoo (2013-2014 Breach) – Yahoo suffered multiple breaches but did not disclose them until years later. This led to a $35 million SEC fine and a $350 million reduction in its acquisition price by Verizon, severely impacting its market value.
Capital One (2019 Breach) – The CISO and security team came under scrutiny when a former employee exploited a vulnerability, exposing 100 million customer records. Though the breach was eventually disclosed, the company faced lawsuits and regulatory penalties.
Business Impact: The Cost of Silence
Beyond legal consequences, failing to report a breach can cause long-term business damage:
Loss of Customer Trust – Customers expect transparency. If they find out a breach was hidden, they may take their business elsewhere.
Reputational Damage – Once a cover-up is exposed, it can do more damage than the breach itself.
Regulatory Scrutiny – Authorities take a firm stance on non-disclosure, leading to investigations, audits, and even operational restrictions.
Executive Fallout – The CISO is not the only one at risk; CEOs and board members can also face consequences.
A Better Approach: Transparency and Preparedness
Rather than fearing breach disclosure, CISOs should focus on preparedness and response:
· Develop a clear incident response plan that includes legal and regulatory reporting obligations.
· Engage legal and compliance teams early to determine whether an incident is reportable.
· Communicate openly with executives about the risks of non-disclosure.
· Work with authorities proactively to demonstrate due diligence and avoid harsher penalties.
Final Thoughts
As cybersecurity leaders, we must acknowledge that breaches happen. What truly defines a CISO’s success is not preventing every attack, but handling incidents responsibly. The short-term discomfort of reporting a breach is far better than the long-term consequences of hiding one.
Transparency is not just a legal requirement—it’s a business imperative.
