Dive Brief:

• Nearly half (48%) of cybersecurity leaders didn’t report a “material” cybersecurity incident to their executive leadership or board of directors in the past year, according to the results of a survey conducted by cybersecurity firm VikingCloud.
• The leading reasons cited were worry over punitive rather than constructive responses from leadership and the board (40%), and fear of financial or reputational harm if the incident were made public or resulted in regulatory consequences (44%), VikingCloud said in a recent report on the findings.
• “If you’re in a leadership position, you need to find out if this is happening in your company,” Jon Marler, “cybersecurity evangelist” at VikingCloud, said in an interview. “I’m not saying, ‘Go on a witch hunt.’ Look at it from the perspective of fostering a culture of accountability and creating a way for people to disclose things that doesn’t make them afraid of losing their job, especially right now with how hard it is to find a new job in IT and technology.”

Dive Insight:

It was not clear to what extent, if any, that surveyed companies have broken any cybersecurity laws by failing to report breaches.

The growing patchwork of cybersecurity breach notification requirements in the U.S. includes the Securities and Exchange Commission’s rule mandating that public companies disclose “material” incidents within four days of a materiality determination.

“While interesting, the survey is too high-level to draw many firm conclusions,” Scott Kimpel, a partner at law firm Hunton Andrews Kurth, said in an email. “Many incident response plans do not require escalation to the board or C-level except under very limited circumstances.”

The research is limited to a handful of industries and does not define key terms like “material cybersecurity incident,” Kimpel said. “We do not know if the surveyed companies are publicly traded or what their relative size is as measured by total assets, revenue or other metrics,” he added.

Still, he said the study serves as a good reminder that businesses should tailor an incident response plan to their specific circumstances “with due regard for applicable legal standards, prevailing market practice, and stakeholder demands for information.”

Andy Lunsford, CEO of cybersecurity firm BreachRx, said the VikingCloud findings echo what his company has seen in its own research across regulatory filings and executive behavior.

“Choosing not to report a material cyber incident may sound like a way to avoid scrutiny, but it will actually result in the opposite outcome,” he said in an emailed statement. “Even if there is a short-term relief, the other shoe will eventually drop, and the consequences will be far greater for everyone involved. The company and the entire executive team will be exposed to far greater liability — including personal.”

The findings come as cyberattacks continue to surge, posing financial, regulatory and legal risks for businesses.

“A strong cybersecurity defense requires creating a company security culture that provides a safe space for reporting all incidents,” VikingCloud said in its report. “It’s up to cyber and broader executive leadership to create those clear reporting protocols and establish a culture of continuous learning and improvement.”

The FBI’s Internet Crime Complaint Center received 859,532 complaints of suspected internet crime in 2024, with disclosed losses exceeding $16 billion, a 33% increase over the prior year, according to a report released earlier this year.

Cybersecurity incidents have escalated both in frequency and severity in the past year, with artificial intelligence serving as a primary driver behind the surge, VikingCloud said.

More than half (51%) of survey respondents ranked generative or agentic AI-driven phishing campaigns as a top concern when it comes to new cyberattack techniques, compared with 22% in a poll last year.

“This suggests that more leadership teams recognize the perils of AI-driven attack methods, especially as agentic AI becomes more ubiquitous and makes bad actors even more dangerous, efficient, and relentless than generative AI alone,” according to the study.

Compounding the situation, nation-state hackers — cybercriminals backed or directed by foreign governments — are impacting a wider range of organizations today, as companies of all sizes and in all industries can be affected by attacks that “ripple through software supply chains,” VikingCloud said.

More than three-quarters of respondents said they believe that recent or proposed cuts to U.S. federal cybersecurity programs, such as the Cybersecurity and Infrastructure Security Agency and the National Security Agency could increase their organization’s cybersecurity risk.

The research was based on a survey of 200 cybersecurity leaders — directors and above — across the U.S., the U.K. and Ireland.

A VikingCloud spokesperson said the company isn’t sure whether any of the surveyed organizations were publicly traded firms required by the SEC to report “material” cybersecurity incidents.

“Unfortunately, we didn’t get that granular in the demographics questions,” the spokesperson said in an email. “We asked about industry (healthcare, retail,  hospitality, food service, travel), location (USA, UK, Ireland), whether they were multi-location (86% were), and level of role (43% C-Suite).”