by Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood
From left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood (Photos courtesy of Debevoise & Plimpton LLP)
Big businesses, especially those with a global footprint and operating in regulated sectors, are increasingly confronted with new and diverging cyber incident reporting requirements. A single incident—even a relatively minor one—may require notification to dozens of data protection, cyber, law enforcement, and sectoral regulators around the world, in addition to insurers, customers, and counterparties. Not only do many regulatory reporting obligations have materially different triggers, but also significant variation exists in reporting timeframes, content requirements, and subsequent regulatory engagement practices. The cumulative effect of this regulatory spiderweb of red tape is often to divert attention and resources away from substantive incident response and remediation, and to create a bureaucratic vortex for compliance and legal personnel. To make matters worse, businesses cannot simply hire their way out of this morass. With a ~3.4 million person shortage in information security professionals, when regulators force too much attention on incident reporting they are invariably diverting eyes from actual information security.
