When a business is hit with ransomware (notice I said “when”), it is very tempting to sweep it under the rug and not tell anyone. Ultimately, you do your business and the greater community a disservice by not reporting the incident. Businesses think about the implications of having the incident being publicly known. It could mean lawsuits, loss of clients or a whole host of other issues highly detrimental to your business.
Ultimately, it is better to come clean than to cover the incident up, because, as with all things, the truth will come out eventually. And when it does, the implications to the business will likely be substantially greater, as they will have the additional burden of having everyone know that they tried to hide it. In the end, the impact may be much greater by hiding the incident than by reporting it. In fact, your business may fall under or eventually fall under legal or regulatory requirements to report the incident, particularly if your business is in what is call a “critical infrastructure” industry.
Currently, such reporting for critical infrastructure industries is voluntary, but eventually they will be legally required to do it due to the recent passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Right now, CIRCA is in the rulemaking process, but eventually rules will be in place that all critical infrastructure businesses need to follow. In the meantime, it is still a best practice for a business in a critical infrastructure industry to report cyber incidents.
Now, what business is considered a critical industry? There is the official list according to the Cybersecurity Infrastructure and Security Agency (CISA) website. However, it could be argued that every industry is critical, as ultimately no business operates in a vacuum. It interacts with other organizations and one weak link in the chain could bring down significant infrastructure due to this interdependency.
It is important for all businesses to be transparent and share information on cyber incidents, so that the entire community will benefit, learning from it and making every organization that much stronger. It will also place your business in a better light by valuing transparency and demonstrate you are operating in the public interest. Moreover, being transparent may help to mitigate many of the repercussions of a cyber attack on your business, so it may be beneficial to your business in the long run. Your business may very well be stronger for it.