The prospect that your business may be targeted maliciously is sadly no longer an edge case but an everyday reality facing any modern business. No matter your size or profile, bad actors will exploit opportunities to take your business hostage for financial gain.

In part one we discussed how NIS2 legislation places a large importance on business continuity[AF1]  and how the right processes and backup tools can help in response to ransomware and other cybersecurity incidents.

However, there is another crucial part of any security response and that’s the need to potentially report the breach to authorities. Here we look at some of those obligations.

While it may be tempting to prioritise resolving the breach, the countdown often begins the moment you realise your systems have been compromised. Timelines can be stringent, so it’s not something that can be worked out during the response. It needs to be embedded as part of your processes with clear expectations on who will carry out the required reporting.

The clock is ticking — it’s time to report the breach

It’s important to remember that in some cases you need to notify the relevant body within 24 hours of discovering an incident, and in some scenarios, as little as four.

Here is key legislation that may affect your organisation.

GDPR/UK GDPR – 72 hours

Who: Any data controller doing business within the EU or UK respectively.

If you find a breach that looks like it will be a risk to individual data, then the relevant authority needs to be notified within 72 hours of you discovering the issue.

That may be an intentional breach of your systems that gave access to customer data, or an accidental issue such as a hard drive being lost that contains data. The key judgement is if individuals may be adversely affected by the consequences.

If you’re in doubt of whether your incident reaches the reporting threshold, it’s best to begin the countdown anyway and err on the side of caution. Be sure to record everything you do as a part of your response, then be sure to make the contact before the 72 hours is up.

NIS2 – 24 hours

Who: NIS2 is EU legislation focused on companies that it deems “critical” or “important,” to minimise disruption to vital sectors and infrastructure. However, you may be indirectly affected if you are a key part of a company’s supply chain that does fall under NIS2 regulation.

For significant data breaches, an initial notification must be made within 24 hours to the member state’s CSIRT (computer security incident response team). A full incident notification needs then be made within 72 hours, and a full report within a month.

If you are a provider in a supply chain to a NIS2 company, you don’t have a requirement to report an incident to the authorities, but you should let your customer know and the timeframe to do so may be specified in your contract.

The UK also has its own NIS regulation, with a report required to the ICO within 72 hours for any incident that has a substantial impact on the provision of a company’s services.

DORA – 4 hours

Who: Any financial organisations doing business within the EU. That includes (but is not limited to) banks, insurers and payment institutions. However, much like NIS2 can extend beyond companies under its remit, DORA also counts critical third-party IT providers as part of its remit.

If a company under DORA legislation detects a breach it has to make an initial report within 24 hours from detection. However, once investigated if it is classed as a major incident then the reporting window shrinks to just four hours (or whatever is left within the 24-hour window).

An intermediate report is then due within 72 hours, and a full report within a month.

Other legislation

There are other regional requirements, with countries such as the UAE and Saudi Arabia each having their own Personal Data Protection Law (PDPL). It highlights the need to understand the legislation in whatever countries you are operating in, and that responses may differ depending on location.

The potential trifecta of reporting

For some companies it may be that you need to report a breach to the GDPR, NIS2 and DORA authorities. Each has a different reporting pathway, and different timescales.

This highlights the very real need to have clear processes, with clear responsibilities outlining who does what and when. The ramifications of not doing so could be costly.

Remember, the authorities are there to help

While they can impose hefty fines for serious and wide-reaching breaches, it’s important to not see the relevant authorities solely as enforcement bodies. By notifying them quickly, they can help you navigate potential implications and mitigate damage. For countries in the EU, the relevant bodies can also help cross-border coordination.

As the ICO explains for GDPR breaches, “It’s understandable if you’re concerned about what happens next. But we’re here to help you understand what happened and to prevent it happening again.”

It’s all part of incident management

All these reporting requirements form the core of effective incident management. They ensure all team members are on the same page, facilitate rapid decision-making and help track the progress of incident resolution.

If a breach is reported to an authority, then you may be called upon to demonstrate everything you did, step by step, as part of identifying the issue and resolving it. You may also be asked to show evidence of what you did in the months leading up to the incident as well.

As such, you need the right tools in place to document processes and systems — and not only demonstrate that you have the data required, but also how you use it to manage risk within your business. Find out how IT Glue, with its robust documentation capabilities, can help you navigate your response to an incident.

Source: Kaseya