New Cyber Incident Reporting: The Inevitability of Bad News

The law firm Ballard Spahr LLP recently released an interesting report, “Financial Institutions Face Increasingly Stringent Federal Breach Reporting Requirements,” which describes a rapidly growing thicket of required reporting of cyber incidents by regulators.  Banking organizations regulated by the U.S. Federal Reserve, FDIC or OCC; entities in the critical infrastructure sector; financial institutions under FTC jurisdiction; large hedge fund and investment advisors; and public companies subject to reporting requirements of the SEC Act of 1932 all are now or will soon be required to report to the aforementioned alphabet soup of government agencies whenever a cyber incident occurs, and within very short timeframes, some as little as 24-36 hours.

While imposing onerous new regulatory requirements on a broad range of companies that will almost certainly create significant compliance costs, the government regulators offer exactly zero new solutions or palliatives to address the underlying cyber threats that make such reporting necessary in the first place. So, companies are left to their own devices to deal with significant continuing cyber threats and will now have to also deal with the inevitable bad news that will be generated by the new reporting requirements and the impacts it will have on company share price and reputation.

Onerous new regulatory requirements will not reduce or eliminate cyber threats and intrusions by hostile actors. What will? At QWERX, we believe in fundamentally changing how network message traffic is secured in a way that will eliminate external cyber intrusions. Eliminating those threats will eliminate the incidents that require reporting, vitiating all those new US Government cyber regulations. Interested in learning more? Contact us at, and we’ll explain our revolutionary new cybersecurity approach.

Leave a Comment