Woman looking at camera and doing silence gesture

Why Breach Cover-Ups Are Killing Trust

If you ask security leaders whether they’ve ever been told to keep a breach quiet (we did), more than half will say yes.

BitDefender’s out with their 2026 report, and although this isn’t a top-tier report like Verizon’s DBIR or IBM’s Cost of a Data Breach, they DO track one really interesting statistic that I like to refer to. Their 2026 report found that 55.2% of respondents said they were being told to keep incidents confidential, a figure that’s just barely down from the 57.6% peak last year.

Even with strict mandates like the SEC’s four-day disclosure rule taking effect in 2023, the instinct to stay quiet persists, because this isn’t just a policy failure. It’s a cultural issue, where the fear of reputational damage outweighs the legal imperative to speak up. And that 55.2% number is globally. Domestically, the problem is considerably worse, with 69% of professionals reporting pressure to not talk about data breaches.

Other Breach Stats from the Report

According to BitDefender’s report, organizations are facing an increase in:

  • Cloud intrusions – account for 41.8% of reported breaches
  • Business email compromise – hitting 35.9% of victims (the FBI’s IC3 has better coverage, though)
  • Ransomware – still a thing in 25.6% of cases
  • Intellectual property theft – targeted about a quarter of firms

And as you’d expect, attackers are using AI to improve their social engineering efforts, with 70.1% of companies reporting more sophisticated phishing attempts. Outdated training materials really don’t do well against attacks that look like legitimate marketing campaigns.

So What Happens When Companies Don’t Report?

In the U.S., failing to notify affected individuals within the 30-to-45-day window mandated by most states can trigger fines ranging from $1,000 to $10,000 per violation, with statutory caps soaring to $500,000 per incident. California’s CCPA is particularly shouty, capping penalties at $7,500 per day for intentional non-compliance and allowing damages up to $10 million per breach.

Publicly traded companies face even more consequences under the aforementioned 2023 rules, where failing to disclose a material breach can lead to disgorgement and personal liability for officers who knowingly suppress disclosure. HIPAA violations can rack up fines, too, and the FTC’s Health Breach Notification Rule covers those health apps and wearable makers who would otherwise not be covered.

Beyond regulators, concealed breaches have a tendency to void cyber insurance policies and strip away good-faith defenses in class action lawsuits, leaving executives personally exposed when D&O carriers refuse to cover intentional misconduct. And telling employees not to report a breach is a pretty clear example of intentional misconduct.

Overconfident and Under-Resourced

We seem stuck in a strange contradiction where organizations feel both overconfident and completely overwhelmed. According to the report, U.S. respondents report the highest strain metrics globally, while at the same time expressing the highest confidence in their security posture:

Reality%Belief%
AI gives attackers the advantage69.7%Confident they can close security gaps87.1%
Security controls regularly bypassed66.7%View vendors as strategic partners84.1%

This disconnect could be based on prior trends of high spending on shiny objects rather than effective defense; in a lot of cases, companies are paying premiums for a sense of security that is just based on vibes.

Compliance (Still) Isn’t Security

Worse still, the industry is continuing to equate compliance with security:

  • 56% of professionals describe their compliance efforts as a checkbox exercise
  • 62% find the process overwhelmingly manual and inefficient
  • 61% say it’s more complicated than it needs to be due to manual research and documentation

This focus on passing audits rather than stopping attacks has led to a situation where 56% of strategies are purely driven by regulatory checklists instead of threat prevention. The predictable result is a false sense of security where organizations pass audits, but continue to fail real-world penetration tests. When security becomes about checking boxes, controls get designed to look good on paper rather than to withstand an attack.

Leadership Blind Spots

And unfortunately, management optimism is only making things worse. There is an 8% average gap between how managers rate their security posture and how frontline staff see it, because executives see progress and alignment while practitioners deal with alert fatigue, understaffing, and expanding attack surfaces.

Managers believe they have full AI visibility at 57.8%, whereas only 45.9% of frontline workers agree, and the gap widens to 11.9 percentage points on that single metric alone. This disconnect means critical risks get filtered out before they reach decision-makers, leaving boards operating on incomplete pictures of their own exposure.

Secrecy is a losing strategy that multiplies legal and reputational costs while eroding trust, because regulators tend to look at factors like cooperation and timely notification as mitigating factors during penalty calculations. Transparency, though it can suck at the time, limits exposure and aligns with the sprawling regulatory environment where delayed notification is treated as evidence of negligence.

Also: companies need to move away from myopically passing audits and shifting blame through contractual obligations. It’s better in the long run to identify the key business processes and their owners (something I’ve mentioned before), the key systems that support those processes, and then figure out which risks would affect those systems rather than doing a line-and cover with whatever control framework a CISO thinks is fashionable. Until then, we’ll probably see leadership encouraging employees to not report, in spite of how the whole Joe Sullivan thing turned out.

Similar Posts