Welcome reader to a 🔍 free deep dive. No paywall, just insights.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

CybersecurityHQ’s premium content is now available exclusively to CISOs at no cost. As a CISO, you get full access to all premium insights and analysis. Want in? Just reach out to me directly and I’ll get you set up.

—

Get one-year access to our deep dives, weekly Cyber Intel Podcast Report, premium content, AI Resume Builder, and more for just $299. Corporate plans are available too.

In the first half of 2025, something unprecedented happened in cybersecurity. Organizations reported 1,732 data compromises, a 5 percent increase that put the year on track for a record. Yet notifications to affected individuals collapsed by 85 percent, from 1.7 billion to just 166 million. This wasn't a victory against cybercrime. It was evidence of a systemic market failure that threatens the foundation of collective cyber defense.

The scale of concealment defies conventional risk models. When VikingCloud surveyed cybersecurity leaders across industries, 48 percent admitted they hadn't reported material breaches to their own senior management. Among these, 86 percent had withheld information about multiple incidents. In parallel, 71 percent of organizations reported experiencing more frequent attacks, while Allianz Commercial projects approximately 700 cyber insurance claims for 2025, consistent with previous years. The divergence between actual incident rates and reported breaches has created what amounts to a cyber risk black hole, where the gravitational pull of liability, insurance requirements, and regulatory complexity prevents information from escaping.

The Identity Theft Resource Center's analysis quantifies this opacity. Despite data compromises tracking toward a record year, 69 percent of public breach notices failed to include root cause or attack vector information, up from 65 percent in 2024. Organizations aren't just delaying disclosure; they're eliminating substance from what little they do disclose. When seven out of ten breach notifications omit basic facts about how the attack occurred, the information ecosystem hasn't just degraded. It has functionally ceased to exist.

The Tale of Two Strategies: Colonial Pipeline vs. MGM Resorts

The contrast between operational necessity and strategic choice in breach disclosure is starkly illustrated by two landmark incidents: Colonial Pipeline's forced transparency and MGM Resorts' costly resistance.

Colonial Pipeline: When Operations Dictate Disclosure

The Colonial Pipeline ransomware attack in May 2021 demonstrates how critical infrastructure breaches eliminate the option for strategic silence. The attack sequence began with data exfiltration of approximately 100 gigabytes on May 6, 2021, by the DarkSide ransomware group. The pivotal decision came on May 7 when Colonial Pipeline's leadership, fearing ransomware could spread from IT to operational technology networks controlling the pipeline itself, proactively shut down all 5,500 miles of operations.

This operational shutdown instantly transformed a corporate cyber incident into a national crisis. The company had no choice but to issue its first public statement on May 8, acknowledging the cybersecurity attack. The FBI was formally notified on May 7 and publicly confirmed DarkSide's involvement by May 10. Colonial Pipeline paid the $4.4 million ransom (75 bitcoin) within hours of the attack, though pipeline operations didn't fully resume until May 12.

The company issued daily, sometimes twice-daily status updates from May 8 through May 13. This continuous information stream was essential for managing public anxiety as fuel shortages and panic buying gripped the U.S. East Coast. The incident involved coordination with the FBI, CISA, Department of Transportation, Department of Energy, and Environmental Protection Agency.

CISA Director Jen Easterly later praised this approach: "Colonial's prompt notification allowed us to mobilize and ultimately claw back $2.3 million of their ransom. It's a powerful example of why we need that partnership." The Colonial Pipeline incident proves that attacks on core operational technology remove the option for strategic silence. The public impact becomes the disclosure.

MGM vs. Caesars: A Real-World A/B Test

The near-simultaneous attacks on MGM Resorts and Caesars Entertainment in September 2023 offer a rare controlled experiment in disclosure strategies. Both casino giants were targeted by the same group, Scattered Spider, using similar social engineering tactics.

Caesars suffered its breach around September 7, 2023, when hackers compromised an IT support vendor and obtained access to the loyalty program database. Caesars chose the quiet path: they negotiated with the attackers and paid approximately $15 million in ransom. On September 14, Caesars filed a detailed 8-K with the SEC disclosing the social engineering attack and confirming customer data compromise, but framing it as non-material to financial results. The disclosure came after the incident was fully contained. Caesars' stock saw minimal movement, and operations continued uninterrupted.

MGM Resorts faced their attack on September 10, 2023. In stark contrast, MGM refused to pay the ransom and collaborated with the FBI. The consequence was severe and highly public: ransomware crippled critical systems across MGM properties for over 10 days. Slot machines, electronic door locks, payment systems, and reservation systems all went offline. MGM had no choice but to acknowledge the "cybersecurity issue" immediately through press releases and social media, providing daily updates as they worked to restore operations.

The financial impact was dramatic. MGM later disclosed approximately $100 million in losses from the disruption. When MGM filed its required 8-K on September 12, it provided minimal detail, simply stating they had identified a cyber issue and were investigating. Security experts noted that "MGM's 8-K is under-disclosing details. Caesars' disclosure is more in line with the spirit of the regulation."

This natural experiment demonstrates the trade-offs. Caesars accepted immediate financial cost ($15 million ransom) to ensure operational continuity and narrative control. MGM chose principle over pragmatism, absorbing massive operational and reputational damage to avoid paying criminals. The divergence offers boards a critical case study in weighing financial loss, business disruption, public perception, and ethical considerations.

The Insurance Industry's Calculated Capture

The transformation of incident response from technical remediation to legal theater began with a single contractual requirement that appears in virtually every cyber insurance policy: notify the carrier within 24 to 72 hours or lose coverage. This clause has restructured the entire incident response ecosystem.

The financial mathematics are compelling. The global average breach cost reached $4.44 million in 2025, but U.S. organizations face average costs of $10.22 million. Healthcare organizations confront even steeper costs at $10.93 million per incident. Without insurance coverage, these costs become existential threats.

The insurance industry's profitability data reveals why carriers have become so powerful. According to Fitch Ratings, U.S. cyber insurers collectively recorded a 47 percent direct loss and defense cost ratio in 2024, meaning only 47 cents of claims per dollar of premium. Individual carriers show even better results: Chubb maintains a combined ratio around 47 percent, while AIG operates at approximately 66 percent. Beazley, despite earlier struggles, achieved an 89 percent combined ratio by 2022, with cyber premiums growing 42 percent year-over-year.

But here's the critical statistic: only 26 percent of cyber insurance claims resulted in payment in 2024, down from 35 percent in 2023. The remaining 74 percent were either denied for coverage issues, fell below deductibles, or were withdrawn. Common denial reasons include non-compliance with security warranties (44 percent of denials), policy exclusions, and late notification.

The process following breach discovery has become ritualized. The insurer deploys a "breach coach" from their pre-approved panel. Major carriers maintain exclusive relationships: Chubb primarily uses Mullen Coughlin LLC, AXA XL works with Lewis Brisbois Bisgaard & Smith LLP, Travelers engages Baker McKenzie and DLA Piper, while Beazley partners with BBB Law. These firms control the entire response through attorney-client privilege.

A real-world example crystallizes the stakes. In 2020, a manufacturer had its claim denied because it failed to implement multi-factor authentication as warranted in its policy application. The denial letter, which became public in litigation, stated: "Coverage is precluded because the Insured did not have multifactor authentication enabled for all privileged accesses, as warranted in the policy application. Therefore, the claim arising from the ransomware incident of May 1, 2020, is denied."

Thomas Reagan, Cyber Practice Leader at Marsh, explains the dynamic: "We had a client call us the day they discovered ransomware, even before it went widespread. By looping in insurer-provided breach coaches and forensics immediately, they not only averted bigger damage but also ensured the claim process went smoothly. The claim was paid in full quickly. Contrast that with a client who tried to tough it out alone for a week and then came to us. It complicates everything."

The Transparency Success Formula

While most organizations race toward opacity, companies that have embraced radical transparency demonstrate measurable benefits that challenge conventional wisdom about breach disclosure.

Cloudflare: Market Resilience Through Transparency

Cloudflare has built its brand on technical excellence and transparent communication. When the company experienced a one-hour outage in June 2025 that briefly knocked its stock down 5 percent, it immediately published a detailed technical analysis of causes, fixes, and prevention measures. The stock quickly recovered, and despite multiple public incident reports, Cloudflare delivered a 132 percent return over the following year, dramatically outperforming the market.

The company's approach was tested again in September 2025 when it was impacted by a third-party breach at Salesloft/Drift. After being notified on August 23, Cloudflare conducted a thorough investigation and published a detailed blog post on September 2, explaining the incident's impact and confirming they had rotated 104 exposed API tokens. On the day of disclosure, Cloudflare's stock closed at $208.05. Rather than declining, it rose through the rest of the week.

This pattern of transparency breeding trust appears consistently. When a dashboard and API outage occurred on September 12, 2025, Cloudflare published a deep technical analysis the next day. The stock closed at $221.32 on the day of the outage and rose to $226.01 within three days.

GitLab: Customer Retention Through Radical Openness

GitLab's commitment to transparency reached legendary status during its 2017 database incident. An engineer accidentally deleted production data, and rather than hiding the error, GitLab live-blogged the entire recovery effort. The company published a comprehensive postmortem detailing five separate backup failures and created dozens of public issue tracker tickets so anyone could follow their improvements.

The financial metrics validate this approach. GitLab's Dollar-Based Net Retention Rate, which measures revenue change from existing customers, tells a compelling story:

• Q1 Fiscal Year 2025: 129 percent

• Q3 Fiscal Year 2025: 124 percent

• Q2 Fiscal Year 2026: 121 percent

These figures mean existing customers not only stayed but significantly increased their spending. GitLab's CISO later noted that not a single major customer left due to the breach; many cited the company's candor as a reason for staying.

Twilio: The Gold Standard Response

When Twilio suffered a phishing attack in August 2022 affecting 163 customers (later revised to 209), its response became a masterclass in transparency. Within three days of confirming the incident, Twilio published a detailed blog post including screenshots of the phishing texts and committed to continuous updates. Over the next two months, Twilio issued multiple public updates, culminating in a final incident report with full findings and lessons learned.

The market response was telling. While Twilio's stock initially dipped on news of the hack, it recovered as the company's forthright handling became evident. Analysts noted that Twilio's swift, transparent response likely prevented a larger selloff. Key clients like Signal Messenger praised Twilio for prompt notification that allowed them to alert end-users.

The company's tone proved critical. Their statement read: "Trust is paramount at Twilio. We sincerely apologize that this happened. We will of course perform an extensive post-mortem." This humility and responsibility turned a potential crisis into a loyalty-building moment.

The Criminal Transparency Paradox

The most surreal aspect of modern cybersecurity is that ransomware gangs now provide superior breach intelligence compared to victims. They maintain professional leak sites with RSS feeds, countdown timers, and proof packages. They've become more reliable than corporate disclosures or regulatory filings.

The LastPass breach sequence epitomizes this dysfunction. In August 2022, LastPass announced unauthorized access to its development environment, assuring users that customer data and vaults were untouched. The company repeated these assurances on September 15. But on November 30, LastPass admitted an intruder had accessed "certain elements" of customer information. The devastating truth emerged December 22: attackers had copied backup customer vault data, including encrypted passwords and unencrypted metadata.

Meanwhile, criminals provided clearer information. RansomHub published details of Manpower's 500GB data theft while the company spent six months "investigating." The criminals provided file listings, sample downloads, and specific data types, achieving transparency the victim never matched.

This inversion appears in the metrics. Q1 2025 saw 2,241 ransomware leak site postings versus 1,485 in Q2, yet the Verizon DBIR reports ransomware involvement in 44 percent of breaches, with 96 percent discovered through actor disclosure rather than internal detection. Organizations literally learn about their own breaches from criminal announcements.

The Regulatory Labyrinth

The regulatory landscape has become a complex arbitrage opportunity rather than a framework for transparency. Each jurisdiction's requirements create new avenues for strategic delay.

United States: The Materiality Game

SEC Chair Gary Gensler stated clearly: "Cyber incidents, unfortunately, happen a lot. When material incidents occur, they can have a range of consequences, and investors have a right to know." Yet the SEC's four-business-day disclosure rule contains a critical loophole: the clock doesn't start until companies "determine" materiality.

Erik Gerding, Director of the SEC's Division of Corporation Finance, clarified that materiality assessment must consider financial condition, operational impact, reputational harm, customer relationships, vendor dependencies, and litigation probability. This multi-factor analysis, companies argue, requires extensive investigation that can legitimately take months.

The sophistication appears in filing patterns. Greenberg Traurig's 2025 analysis documents companies routinely using Form 8-K Item 8.01 ("Other Events") for initial notification rather than Item 1.05 ("Material Cybersecurity Incidents"), preserving flexibility while technically complying.

International Speed Requirements

Singapore mandates notification to the Personal Data Protection Commission within 72 hours of determining a breach is notifiable, with fines up to S$1 million or 10 percent of annual turnover. The commission has been aggressive: in 2022, it fined StarHub S$58,000 partly for delayed detection and notification.

South Korea requires even faster action, mandating notification within 5 days to authorities and affected individuals for breaches involving personal information. The Korea Internet & Security Agency publishes annual statistics showing hundreds of reported breaches, with public notices typically coming within a week of discovery.

Japan's two-stage approach requires an initial report within 3 days of confirming a significant breach, followed by a full report within 30 days. Within the first six months of implementation, over 1,000 notifications were filed, showing Japanese companies erring on the side of compliance.

Australia's Office of the Australian Information Commissioner received a record 527 breach notifications in the first half of 2024, up from 497 in late 2022. The Medibank case tested this regime: they notified on day one of detection (October 13, 2022), then provided progressive disclosures as scope widened, generally meeting legal expectations despite intense public scrutiny.

The Economics of Strategic Silence

The financial calculus driving disclosure suppression involves multiple reinforcing variables that make transparency economically irrational under current structures.

Litigation Exposure

Data breach class action settlements have reached staggering levels:

• Equifax (2017): $380 million consumer fund plus $90 million shareholder settlement

• Capital One (2019): $190 million consumer settlement in 2022

• Anthem (2015): $115 million to consumers

• Yahoo (2013-14 breaches): $117.5 million to consumers plus $80 million securities settlement

The average settlement now reaches $3-5 million, with timing typically 6-18 months post-breach. Legal defense costs average $1.4 million for cases reaching settlement, $3.2 million for trial. Electronic discovery alone averages $800,000.

Market Punishment

Academic research examining 5,000 breach disclosures from 2010-2025 found consistent patterns. Initial disclosure triggers average decline of 3.5 percent in market capitalization, persisting for 30 days. One year later, breached companies trade 5.7 percent below pre-breach valuations. Three years later, the gap remains 3.2 percent.

For a $1 billion market cap company, this represents $32 million in permanent value destruction. IBM's research documents average customer loss of 3.9 percent post-breach, varying by sector: financial services lose 2.3 percent, retail loses 5.7 percent, healthcare loses 1.8 percent, and B2B services lose 8.2 percent.

The Uber Precedent

The criminal conviction of Uber's former CSO Joe Sullivan fundamentally altered executive risk calculations. In October 2022, a federal jury convicted Sullivan on charges of obstruction of justice and misprision of felony for concealing the 2016 breach affecting 57 million users. Instead of disclosing to the ongoing FTC investigation, Sullivan orchestrated a $100,000 payment to hackers through the bug bounty program, requiring them to sign NDAs containing false statements that they hadn't accessed user data.

The cover-up lasted a full year until new management disclosed it in November 2017. Sullivan faced potential eight-year imprisonment, though ultimately received probation. Uber paid $148 million to state attorneys general and entered a non-prosecution agreement requiring 20 years of comprehensive privacy programs.

The Pennsylvania Attorney General stated: "Uber's year-long delay in reporting was inexcusable and illegal under our law. We will not tolerate corporate cover-ups of breaches."

Building Counter-Intelligence Infrastructure

Progressive organizations are constructing parallel intelligence systems that assume zero external visibility. The investment required is substantial but quantifiable.

Information Sharing and Analysis Centers

FS-ISAC serves 7,000 member institutions across 70 countries. Membership costs scale by institution size: community banks under $500 million assets pay $7,500 annually, regional banks ($500 million to $15 billion) pay $15,000-$50,000, and global systemically important banks pay $285,000.

During the March 2025 Scattered Spider campaign, FS-ISAC members received indicators within 4 hours of first detection versus 3 weeks for public disclosure. The intelligence included 127 IP addresses, 43 phishing domains, 15 email addresses, 8 phone numbers, and 23 Bitcoin wallets. Members blocked these indicators before attacks reached them.

Healthcare's H-ISAC serves 730 members with fees from $1,500 for small practices to $65,000 for large health systems. When ransomware groups began targeting medical devices in February 2025, H-ISAC distributed detection rules 47 days before FDA advisories.

Dark Web Monitoring

Enterprise-grade services provide comprehensive coverage:

• Recorded Future ($150,000+ annually): 800+ criminal forums, 150+ ransomware sites, 50+ exploit markets

• Intel 471 ($100,000+ annually): 200+ cybercrime groups, 500+ individual actors, 100+ malware families

• Flashpoint ($85,000+ annually): 2,000+ fraud communities, 500+ carding forums, 300+ cryptocurrency laundering services

These services identified 67 percent of breaches before victim awareness in 2024. SpyCloud claims recovery of billions of credentials, with one company reporting 60 percent reduction in account takeover incidents after implementation.

Technical Detection Capabilities

Organizations with comprehensive logging retain detection evidence that makes disclosure possible. SANS research shows companies with extensive logging achieve average incident detection in 49 days versus 83 days for those with limited logging. Companies containing breaches quickly (<30 days) almost always cite robust logging as a factor.

Threat hunting programs deliver measurable results. Organizations with active hunting programs shortened dwell time by 43 percent according to SANS. Mandiant reports 36 percent of intrusions they investigated were initially detected through proactive hunting, up from 20 percent previously.

Deception technology provides near-zero false positives. MITRE calculated that adding deception to baseline SOC increased lateral movement detection from 30 to 80 percent in simulations. In 2022, a manufacturing company caught ransomware actors early because attackers enumerated SMB shares and triggered a decoy, allowing isolation before deployment.

The Board Communication Revolution

Progressive CISOs have abandoned traditional reporting assuming external breach data provides meaningful context. They've developed frameworks acknowledging public information is fiction and only internal reality matters.

The education process begins with shocking directors into awareness using concrete statistics:

• The 85 percent collapse in notifications despite rising incidents

• 48 percent of security leaders hiding material breaches from management

• 86 percent of those concealing multiple incidents

• 69 percent of disclosures omitting attack details

• 146 percent increase in OT attacks with 5 percent increase in disclosures

• 96 percent of ransomware discovered only through criminal announcement

New metrics replace fictional benchmarking:

Attack Economics: Cost per attack prevented (security spending divided by blocked incidents), return on security investment (prevented losses divided by security costs), and economic value at risk (maximum probable loss from successful attack). When organizations prevent 50,000 monthly attacks with $6 million annual investment, the $10 per prevented attack demonstrates value regardless of industry averages.

Detection Velocity: Email compromise detected in 4 hours, endpoint malware in 12 hours, insider threats in 3 days, supply chain compromise in 7 days. These absolute measurements show improvement without requiring external comparison.

Control Coverage: Crown jewels under continuous monitoring (100 percent), privileged accounts under PAM control (95 percent), endpoints with EDR deployed (92 percent), network segments micro-segmented (87 percent).

Board director perspectives have evolved accordingly. As one Fortune 500 director stated: "Our board's mantra is: a cyber crisis is a communications crisis as much as a technical one. We expect management to be forthright with regulators, customers, and us."

The Path Forward

The cybersecurity industry has crossed a threshold from which there is no return. The 85 percent collapse in breach notifications while incidents increased isn't temporary but permanent. The forces driving suppression grow stronger annually.

FBI Assistant Director Bryan Vorndran articulated the tension: "When a company calls us in early, we can preserve evidence and trace the hackers. We might ask them to delay going public by just a few days. It can make the difference in catching the perpetrator."

Yet CISA Director Jen Easterly counters: "We have to break down the silos. Too often organizations don't share cyber incident details out of fear of reputational damage, regulatory repercussions, or just not knowing who to trust. This lack of transparency only benefits the adversaries."

The solution requires accepting new realities:

Reality 1: Public breach data is permanently corrupted. The forces driving suppression (insurance control at 74 percent claim denial rate, litigation exposure averaging $3-5 million, criminal liability per Uber precedent) intensify rather than diminish.

Reality 2: Detection excellence creates disclosure burden. Organizations using AI-powered detection identify breaches in 98 days versus 211 days manually, but faster detection triggers immediate disclosure obligations that slower methods avoid.

Reality 3: Supply chains are permanently opaque. With supply chain breaches averaging 267 days for containment and costing $4.91 million, every vendor represents months of latent exposure.

Reality 4: Insurance has become risk amplification. With only 26 percent of claims paid and average denial for warranty non-compliance, cyber insurance creates more risk than it transfers.

Reality 5: Regulatory compliance and security excellence have diverged. Meeting disclosure requirements doesn't improve security. Security excellence doesn't ensure compliance.

Given these realities, CISOs must architect new approaches:

Invest 15-20 percent of security budget in intelligence infrastructure. FS-ISAC membership, dark web monitoring, and threat hunting capabilities cost less than a single breach.

Restructure incident response for parallel processing. Separate technical remediation (maximum speed) from legal investigation (careful documentation).

Create internal metrics independent of external data. Measure absolute capability, not relative performance.

Develop response capabilities enabling confident disclosure. Transform incidents from threats into competence demonstrations.

Prepare for cascade failures. When major suppliers eventually disclose long-hidden breaches, maintain forensic artifacts enabling retroactive investigation.

The silent breach phenomenon isn't a problem to solve but a reality to navigate. Organizations that build counter-intelligence capabilities, restructure governance, and accept permanent opacity will maintain security effectiveness. Those waiting for transparency's return will wait forever, vulnerable to threats nobody warned them about.

In the age of silent breaches, nobody warns anyone about anything anymore. The silence isn't deafening. It's permanent. And it's the foundation upon which all future cyber risk management must be built.

Stay safe, stay secure.

The CybersecurityHQ Team