New cyber incident reporting requirements are rapidly transforming how financial institutions (FIs) approach cybersecurity. Our February report, Managed Detection, Response, and Reporting in 2025: The Trio to Elevate Operational Resilience, analyzed how new cyber incident reporting would usher in a holistic practice for cybersecurity that mixed products and services.
The term MDR² was also introduced to emphasize that response and reporting could soon go hand in hand. The report revealed the market direction in 2025:
"The full picture is an interdisciplinary strategy and suite of capabilities. By referring to a "trio" in the title, this report points out how detection is one part of a complete strategy to deliver resilience. Orchestrating response and incorporating reporting capabilities are the next steps."
Financial Services Risk Management: The Cost of Cyber Incident Disclosure
A significant driver behind this transformation is straightforward: Financial institutions want to avoid the negative publicity and market consequences that come with public reporting of cyber incidents. Two major regulatory developments have established reporting thresholds significantly lower than traditional data breach notification rules, affecting a broad segment of financial services organizations:
- Securities and Exchange Commission (SEC) guidance issued in July 2023 concerning 8-K reporting of material cybersecurity incidents by public companies
- Department of Homeland Security (DHS) rulemaking, with an expected October 2025 implementation date, requiring covered entities to report cyber incidents and ransomware payments to the DHS Cybersecurity and Infrastructure Agency (CISA)
Cyber Reporting Mandates Drive Financial Services Security Strategy
Looking at past market reactions provides valuable insight into potential responses to these new requirements. Data breach notification laws, now established in every state, have proven to be powerful incentives for improving corporate cybersecurity as organizations seek to avoid brand damage from a data breach. A 2024 study published in The British Accounting Review examined the relationship between notification laws and corporate debt costs, finding that "[Data breach notification] laws create a strong incentive for managers to invest in robust cybersecurity measures and internal controls to prevent breaches from occurring."
The study further revealed that "the increase in the cost of private debt is less pronounced in firms that focus on cyber security measures, such as investing in cyber security or appointing a technology officer on their board."
Investment Driven by Reporting Avoidance
For FIs, spending to avoid risk represents an investment in brand protection. Lower reporting thresholds will prompt boardrooms to explore cyber investments specifically designed to keep operations below those reporting triggers and avoid negative publicity.
The DHS rule, in particular, deserves close attention as its October 2025 implementation approaches. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 has an exceptionally broad scope, covering critical infrastructure sectors, IT supply chain incidents, (e.g., widespread exploitation of an API vulnerability from a cloud services provider), and for ransomware payments—all areas of particular concern for financial services organizations.
The Growing Demand for Professional Services
How does reporting connect to professional services? FIs now face multiple challenges:
- Compliance expertise to fully understand and interpret new reporting requirements
- Cybersecurity capabilities to map incident details against reporting thresholds
- Specialist teams for threat intelligence, digital forensics, and incident response to determine whether to report and what details to include
The SEC guidance implemented over a year ago provides early market signals. SEC enforcement actions have increased, and in response, the cybersecurity insurance market has fashioned new policy protections specifically addressing SEC investigations—a departure from the traditional privacy focus of cyber insurance. Hence, professional assessments of cyber risk cover is another fallout of the new MDR² environment.
Our February report emphasized that effective security must integrate products and services for seamless reporting workflows. As a Breach Coach practitioner, I am seeing delayed entrance of counsel, even in referrals from cyber insurers. There seems to be growing third-party incident litigation resulting from downstream impacts (e.g., the Delta – CrowdStrike countersuits), as compared to direct privacy impact lawsuits, highlighting the need for better MDR² synchronization.
Regulatory, Reputational, and Financial Risks of Cyber Incident Reporting
The evolving reporting landscape will significantly reshape the cybersecurity market for FIs in 2025 and beyond. Financial services organizations must prepare for:
- Increased regulatory scrutiny of cyber incident disclosure and response
- Growing need for integrated cybersecurity solutions combining technology and professional services
- Rising importance of rapid, coordinated incident response to minimize reporting obligations
FIs that fail to adapt risk not only regulatory penalties but also reputational damage, increased borrowing costs, and potential litigation from affected parties.
Taking Action Now
Reporting stands to shake up the cybersecurity market in 2025 and beyond. Watch for our upcoming report later this year that will provide an in-depth analysis of this landscape, and offer strategic guidance for FIs navigating these new reporting requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
