John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
When your company gets named in a public breach attribution, silence is a strategy. Just not a good one.
Broadcom. Bechtel. Estee Lauder. Abbott Technologies. All four have been named in the Cl0p-attributed Oracle E-Business Suite breach. None of them have said a thing. No acknowledgment, no explanation, no guidance for affected customers.
Oracle EBS is a sprawling ERP platform handling financials, procurement, supply chain, and HR across large enterprises. A breach of that infrastructure doesn’t expose just one kind of data. It potentially touches everything.
But this isn’t really about the breach itself. It’s about the quiet.
Why companies go silent. Four reasons, usually some combination: the investigation is ongoing (fair, up to a point), lawyers said wait (silence is lower risk in a courtroom, but the courtroom isn’t the only audience), insurance negotiations are active (carriers want narrative control), or they’re just hoping it blows over. That last one doesn’t get said out loud, but it’s often the dominant factor.
Why silence doesn’t work anymore. The SEC’s cybersecurity disclosure rules require public companies to report material incidents within four business days of determining materiality. Companies have some wiggle room on when they make that determination. But the SEC has shown willingness to scrutinize companies that drag out materiality assessments as a stalling tactic.
State notification laws create separate obligations. Most states require individual notification within 30 to 60 days. If personal data was exposed, those clocks are running whether or not anyone’s made a public statement. And for companies with European operations, GDPR’s 72-hour notification requirement and DORA’s financial sector rules add more pressure.
What silence actually signals. To regulators: potential non-compliance. To customers: uncertainty at best, indifference at worst. To insurers: complications. To plaintiffs’ attorneys: opportunity. Every day of silence adds to the narrative that the company prioritized its own exposure over its obligations.
What a good statement looks like. It’s really not complicated. Something like: “We’re aware of reports. We’re investigating with external forensic experts. We’ll provide updates and notify affected parties as required by law.” That doesn’t admit fault, doesn’t confirm exposure, doesn’t mess up insurance negotiations. It just acknowledges reality and sets expectations.
The information asymmetry companies used to rely on has eroded. Threat intelligence reporting, dark web monitoring, and investigative journalism mean the public often knows about breaches almost as fast as the companies do. Hoping the news cycle moves on isn’t the play it used to be.
If your org is affected by a publicly attributed breach, the clock is running whether you acknowledge it or not. The question isn’t whether to disclose. It’s whether you do it on your terms or someone else’s.