---
title: "Why Breach Cover-Ups Are Killing Trust"
description: "If you ask security leaders whether they've ever been told to keep a breach quiet (we did), more than half will say yes. BitDefender's out with their 2026 report, and although this isn't a top-tier..."
url: https://kaynemcgladrey.com/blog/why-breach-cover-ups-are-killing-trust/
date: 2026-07-06
modified: 2026-07-06
author: "Kayne"
image: https://kaynemcgladrey.com/wp-content/uploads/2026/07/Woman-looking-at-camera-and-doing-silence-gesture.webp
categories: ["Blog"]
type: post
lang: en
---

# Why Breach Cover-Ups Are Killing Trust

> If you ask security leaders whether they’ve ever been told to keep a breach quiet (we did), more than half will say yes.

BitDefender’s out with their 2026 report, and although this isn’t a top-tier report like [Verizon’s DBIR](https://www.verizon.com/business/resources/reports/dbir/) or [IBM’s Cost of a Data Breach](https://www.ibm.com/reports/data-breach), they DO track one really interesting statistic that I like to refer to. Their [2026 report](https://www.bitdefender.com/content/dam/bitdefender/business/campaign/cybersecurity-assessment-2026/Bitdefender_Cybersecurity_Assessment_2026.pdf) found that **55.2%** of respondents said they were being told to keep incidents confidential, a figure that’s just barely down from the **57.6%** peak last year.

Even with strict mandates like the [SEC’s four-day disclosure rule](https://www.sec.gov/rules-regulations/2023/07/s7-09-22) taking effect in 2023, the instinct to stay quiet persists, because this isn’t just a policy failure. It’s a cultural issue, where the fear of reputational damage outweighs the legal imperative to speak up. And that 55.2% number is globally. **Domestically**, the problem is considerably worse, with **69%** of professionals reporting pressure to not talk about data breaches.

### Other Breach Stats from the Report

According to BitDefender’s report, organizations are facing an increase in:

- **Cloud intrusions** – account for 41.8% of reported breaches
- **Business email compromise** – hitting 35.9% of victims (the [FBI’s IC3](https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf) has better coverage, though)
- **Ransomware** – still a thing in 25.6% of cases
- **Intellectual property theft** – targeted about a quarter of firms

And as you’d expect, attackers are using AI to improve their social engineering efforts, with **70.1%** of companies reporting more sophisticated phishing attempts. Outdated training materials really don’t do well against attacks that look like legitimate marketing campaigns.

### So What Happens When Companies Don’t Report?

In the U.S., failing to notify affected individuals within the 30-to-45-day window mandated by most states can trigger fines ranging from $1,000 to $10,000 per violation, with statutory caps soaring to $500,000 per incident. [California’s CCPA](https://www.oag.ca.gov/privacy/ccpa) is particularly shouty, capping penalties at $7,500 per day for intentional non-compliance and allowing damages up to $10 million per breach.

Publicly traded companies face even more consequences under the aforementioned 2023 rules, where failing to disclose a material breach can lead to disgorgement and personal liability for officers who knowingly suppress disclosure. [HIPAA](https://www.hhs.gov/hipaa/index.html) violations can rack up fines, too, and the [FTC’s Health Breach Notification Rule](https://www.ftc.gov/legal-library/browse/rules/health-breach-notification-rule) covers those health apps and wearable makers who would otherwise not be covered.

Beyond regulators, concealed breaches have a tendency to void cyber insurance policies and strip away good-faith defenses in class action lawsuits, leaving executives personally exposed when D&O carriers refuse to cover intentional misconduct. And telling employees not to report a breach is a pretty clear example of intentional misconduct.

### Overconfident and Under-Resourced

We seem stuck in a strange contradiction where organizations feel both overconfident and completely overwhelmed. According to the report, U.S. respondents report the highest strain metrics globally, while *at the same time* expressing the highest confidence in their security posture:

| Reality | % | Belief | % |
| --- | --- | --- | --- |
| AI gives attackers the advantage | 69.7% | Confident they can close security gaps | 87.1% |
| Security controls regularly bypassed | 66.7% | View vendors as strategic partners | 84.1% |

This disconnect could be based on prior trends of high spending on shiny objects rather than effective defense; in a lot of cases, companies are paying premiums for a sense of security that is just based on vibes.

### Compliance (Still) Isn’t Security

Worse still, the industry is continuing to equate compliance with security:

- **56%** of professionals describe their compliance efforts as a checkbox exercise
- **62%** find the process overwhelmingly manual and inefficient
- **61%** say it’s more complicated than it needs to be due to manual research and documentation

This focus on passing audits rather than stopping attacks has led to a situation where **56%** of strategies are purely driven by regulatory checklists instead of threat prevention. The predictable result is a false sense of security where organizations pass audits, but continue to fail real-world penetration tests. When security becomes about checking boxes, controls get designed to look good on paper rather than to withstand an attack.

### Leadership Blind Spots

And unfortunately, management optimism is only making things worse. There is an **8% average gap** between how managers rate their security posture and how frontline staff see it, because executives see progress and alignment while practitioners deal with alert fatigue, understaffing, and expanding attack surfaces.

Managers believe they have full AI visibility at **57.8%**, whereas only **45.9%** of frontline workers agree, and the gap widens to **11.9 percentage points** on that single metric alone. This disconnect means critical risks get filtered out before they reach decision-makers, leaving boards operating on incomplete pictures of their own exposure.

Secrecy is a losing strategy that multiplies legal and reputational costs while eroding trust, because regulators tend to look at factors like cooperation and timely notification as mitigating factors during penalty calculations. Transparency, though it can suck at the time, limits exposure and aligns with the sprawling regulatory environment where delayed notification is treated as evidence of negligence.

Also: companies need to move away from myopically passing audits and shifting blame through contractual obligations. It’s better in the long run to identify the key business processes and their owners (something I’ve [mentioned before](https://techround.co.uk/guides/the-three-documents-every-new-ciso-needs-that-nobody-hands-you/)), the key systems that support those processes, and then figure out which risks would affect those systems rather than doing a line-and cover with whatever control framework a CISO thinks is fashionable. Until then, we’ll probably see leadership encouraging employees to not report, in spite of how the whole Joe Sullivan thing turned out.
