And making the reporting mandatory – but avoiding a media feed frenzy that would occur when the losses are made public on their own – is the best strategy, says the association, which has more than 80 000 members worldwide.
The recommendation comes in the wake of a leading legal expert calling for the mandatory reporting of all data breaches to the UK Information Commissioner's Office (ICO) last week.
Rolf von Roessing, ISACA's international vice president, points to the reputational risk that real-time media reporting of leaks and losses that would likely result from this move.
Including the data security problems along with quarterly or annual financials, he says, allows the company to report the security breaches to all interested parties – namely the shareholders and employees – rather than simply catering to sensationalists and the media generally.
"The idea of mandatory reporting is an excellent one and one that should be embraced, but rather than risking the reputation of a company being pilloried – and perhaps sending its share plummeting as a result of unfettered media reporting – the reporting process should be more measured, and require the 'signing off' of the report by management, in a similar process to Sarbanes-Oxley's 302 disclosure reporting in the US", he said.
According to von Roessing, the fact that someone of the stature of a partner with Field Fisher Waterhouse is saying that mandatory reporting is now necessary to stop companies from burying their bad news, indicates the strength of business feelings about the issue of reporting of security breaches.
However, he says, whilst the public has a legitimate interest in learning about security breaches, it is important to look at the bigger picture, that of the real public interest in a company being seen to learn from its mistakes and allowing management to recover a situation, rather than subjecting the company to a public witch hunt that benefits no-one in the longer term.