The \u201cname and shame\u201d trend has become popular in cybersecurity: even FBI officials suggest using it. A couple of weeks ago, UK National Cyber Security Centre (NCSC) announced that it will name and shame departments failing to secure their emails (properly implement DMARC). The NCSC plans to incentivize government domain owners to implement email security measures by setting up a dashboard of red, amber and green indicators based on the level of email security in each government domain.It is not yet clear if the dashboard will be freely accessible to everyone, but if so, cybercriminals should be very grateful for a centralized and up to date dashboard with governmental domains they can use in new spear-phishing and drive-by-download spam campaigns. Obviously, attackers can perfectly do continuous monitoring looking for new targets themselves, but why refuse free gifts?During a recent IP Expo Europe event, James Lyne, head of security research at Sophos, said: \u201cWe\u2019re about to enter a period where we\u2019re going to name and shame\u201d referring to the introduction of GDPR in 2018.A few weeks ago, there was disturbing news wrapped within SWIFT's announcement of SWIFT Customer Security Programme (CSP) introduction, in which SWIFT will \u201cname and shame banks who fail to meet security standards\u201d. Later, SWIFT fortunately clarified the situation, saying that the [member bank\u2019s] compliance status will be made available to their trading partners within the SWIFT network only.So, cybercriminals who are behind a series of recent SWIFT member bank breaches will continue to do their homework on new victims search themselves (assuming they have no insiders or backdoors among SWIFT stakeholders).But let\u2019s come back to GDPR (the full text of the EU regulation act is available here). According to Article 34 of the Act, in addition to supervising authority (as per Article 33), the controller [company that holds PII of EU citizens] shall communicate the personal data breach to the data subject without undue delay. Exceptions exist if the compromised data cannot be used for any malicious activities, for example was reliably encrypted. Administrative fines for GDPR non-compliance may go up to 10\u2019000\u2019000 EUR, or up to 4% of the guilty company\u2019s total annual turnover.According to a PwC publication on GDRP, a \u201cpart of the challenge of the GDPR is that it creates a funnel through which non-compliance turns into serious regulatory penalties, litigation and public disgrace. The funnel is the breach disclosure requirement, which will effectively require entities to wash their dirty linen in public.\u201d A recent GDPR review conducted by Gartner, says that \u201conce the EU GDPR comes into effect [May 2018], a single complaint could result in an audit and a fine for improperly handling personal data.\u201dAfter Brian Kreb\u2019s website fell victim to an unprecedented DDoS attack, the industry was very concerned about the extraordinary power of DDoS attacks, capable to censure anyone on the web. However, with a GDPR enforcement, cybercriminals will rather breach their victim, loudly leak compromised PII in public, and wait for victim\u2019s bankruptcy due to a tsunami of complaints. Taking into consideration that over 60% of web services contain at least one high-risk vulnerability, allowing database compromise - that wouldn\u2019t be very difficult. In other words, GDPR may become an emerging nuke to eliminate competition by the European Court\u2019s hands and in full compliance with the law.Jan Schreuder, partner, Cybersecurity, PwC Digital Services, comments: \u201cMandatory breach disclosure has long been part of privacy legislation in the US and a number of other countries, however we are now seeing that data protection and cyber regulations are including it in proposed or enacted legislation and regulations. Organizations globally and especially in Europe need to prepare for a new world where data breaches will inevitably become public. Maintaining the trust of stakeholders including regulators, shareholders, customers and employees in case of a breach is of utmost importance, and recent experience has shown that the quality and timeliness of the communication from the organization's leadership is crucial. Preparing your communication strategy in advance rather than in the heat of the crisis is an important element in planning your response to cyber attacks.\u201dThe road to hell is often paved with good intentions. Something similar may occur with an overabundance of cybersecurity and privacy regulations, especially if name and shame practice will dominate them.Nonetheless, common-sense approach to cybersecurity, holistic risk assessment and continuous security monitoring can not only assure reliable cybersecurity, but also help comply with almost any security standard or regulation, from PCI DSS to GDPR.