Mandatory reporting regimes are coming to many countries in the next few years, whether businesses support the idea or not. While the details vary, these requirements are intended to increase the government’s visibility regarding the scope, scale, and intensity of malicious cyber activity in their countries. The business case for such reporting from the government’s perspective is clear; no government currently has the incident information it needs to protect its national security, economic prosperity, or public health and safety in cyberspace. For companies, however, what they get from these regimes is often unclear. But if the regulations are set up properly, businesses could reap clear benefits. Therefore, the business community must take this opportunity to shape these reporting regimes into a structure that will not only benefit governments and society, but individual businesses at the same time.