Cyber-security attacks that are becoming more and more common among various types and sizes of organizations may have serious effects on electronic communication networks, provision of services, and national security. Although significant breaches that affect many users or extensively disrupt the functioning of an organization usually receive extensive media coverage, smaller security incidents may remain unreported to the public. This can occur because of several reasons. For example, the affected organization may become aware of the incident later, it considers the incident insignificant (e.g., no personal data has been accessed), the local law does not impose requirements on reporting cyber-attacks, or, after conducting balancing tests, the reporting of the incident will cause substantial damages. Nevertheless, in practice, late announcement of cyber-security incidents may be beneficial only in a small number of very specific and selective cases. In most cases, late announcement of incidents may cause significant reputational harm and possible legal liabilities. If you would like to read the entire article, please click here.