Questions about when to disclose a cybersecurity incident can involve many different factors, both legally and ethically, and even involve multiple regulatory agencies depending on the business that you’re involved in.  As the number of incidents continues to climb, though, some agencies are trying to take a stronger stance on the matter.

One such incident involved the Sunburst attack that impacted SolarWinds in 2019, which led to thousands of organizations being compromised. As the incident involved multiple government agencies, the Securities and Exchange Commission brought a lawsuit against SolarWinds in October, alleging they did not disclose the security incident in a timely fashion.

 A court recently struck down a large portion of the SEC’s case against SolarWinds, which some experts worried could have created a “chilling effect,” preventing organizations from probing for security issues if they would then face liability for them. However the case was not entirely dismissed, with charges still remaining regarding SolarWinds’ alleged misrepresentation of the security of their software.

While much of the case against SolarWinds was struck down, the SEC’s action shows that more regulatory agencies are taking the issue of disclosure (or the lack thereof) seriously.  Ultimately the question of disclosure will come down to you, your regulators and your lawyers, but the risk presented by not disclosing is now higher than ever.