Concerned about reputational damage and lost business, many companies are underreporting cybercrimes.

Half of cybersecurity respondents to ISACA’s “State of Cybersecurity 2019,” a survey of 1,500 cybersecurity professionals from each continent, said they believe most enterprises underreport cyber incidents they are required to disclose. What’s more, a quarter believed enterprises underreport incidents they’re not legally required to make public as well.

To Womble Bond Dickinson privacy and cybersecurity team co-chair and partner Theodore Claypoole, the statistics don’t represent a new trend. He said businesses are resistant to report cybercrimes because it’s publicizing mistakes, embarrassments and possible incompetence.

“Even if the attack is brilliant and no one could have stopped it, those details are lost on the general public and especially regulators, who tend to blame the victim in these cases for not protecting consumer or employee data,” Claypoole wrote in an email.

Although not all cyber incidents lead to regulatory penalties, the negative media attention may be costly in the long run. 

“In this day, where a company shows competence dealing with a successful attack, the company can minimize reputational damage and come back strong. But it is hard to believe that negative news will not hurt the company in a significant way,” Claypoole noted.

To be sure, Target faced a nearly 50% drop in profits after its massive 2013 data breach, while American Medical Collection Agency lost LabCorp as a client after its servers were hacked. 

Frost Brown Todd partner Victoria Beckman also noted that companies may not report a cyber incident if they are acquired by another organization. She said some companies may believe they don’t have to reveal that information to their acquirer. However, a Forescout Technologies Inc. survey found more mergers and acquisition deals are prying into a company’s cybersecurity history. 

Companies may also worry about the expenses associated with reporting a cyber incident, including IT upgrades, counsel fees and providing credit monitoring and notices to those breached, Beckman said. Indeed, American Medical Collection Agency spent $3.8 million for notifying just seven million of the 20 million customers whose data was breached, according to a bankruptcy notice it filed last month.

Nonetheless, Beckman said regulatory requirements make reporting a cyber incident the best policy, in light of varying statutes’ definition of a breach and documentation and notification requirements.

“I would never recommend not to report an incident,” Beckman said. ”It would expose the organization to serious legal and economic consequences. If after a risk assessment, the organization concludes there was no reportable breach but only a minor incident, that thought process must also be documented.”