Connect with us

Hi, what are you looking for?

Tech & Science

Are we entering a world of greater cyber-transparency?

The SolarWinds attack is a prime example of this, but we also just saw this happen with the hack on U.S. government email accounts.

Image: — © AFP
Image: — © AFP

The U.S. Securities and Exchange Commission (SEC) has implemented regulations that mandate registrants to disclose any significant cybersecurity incidents they encounter. Additionally, organizations are now obligated to annually disclose essential details about their cybersecurity risk management, strategy, and governance.

The ruling alters the playing field for business transactions and requires companies to focus their disclosures on how the board oversees cybersecurity threat risks, identifying the committee responsible for such oversight, and explaining how the board or committee stays informed about these risks.

Looking into the circumstances and considering the implications for industry is Mike Britton, CISO, Abnormal Security.

Britton sees a positive in terms of the recent news, noting how this can be a springboard towards enhanced understanding: “Increased disclosures and greater transparency is a good thing for everyone concerned with cybersecurity. But there are some uncertainties around how far these SEC cyber rules will go toward actually solving or exposing security incidents.”

Citing an example of the pertinent lessons to be learned, Britton states: “For one, the rule assumes that breached organizations are aware of a material compromise, and that reporting it within the stipulated four days from discovery is timely enough. But so often, organizations experience breaches where an attacker was already inside their corporate network—sometimes for weeks or months—before they identified the attack.”

Continuing with the example, Britton puts forward: “The SolarWinds attack is a prime example of this, but we also just saw this happen with the hack on U.S. government email accounts through a Microsoft vulnerability, where the attackers were lurking within those accounts for as long as a month before customers noticed anomalous mail activity.”

With the next advantage, Britton says: “Secondly, the mandated disclosures are required only if the breach has a “material” impact on operations, revenues, or stock price. But without a concrete definition around what is considered “material,” this can feel somewhat arbitrary, and may lead to some material breaches going unreported. Plus, in many cases, an organization won’t know the extent of their material damages until much later.”

In terms of learning from such issues, Britton indicates: “There is a question around whether the bar should be lowered. For example, there is a case to be made for disclosing any type of breach—even if it’s a BEC attack that results in relatively lower financial loss, like in the thousands of dollars, or if there are repeated incidents.”

This leads to his final point: “Is a single material breach any worse than attacks that are less costly, but more frequent? Organizations have a duty to be transparent with their customers and investors, so at what point do we draw the line?”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

Business

A digital ID is an online representation of an individual, which contains personal information.

Entertainment

Oscar-winning songwriter and screenwriter Dean Pitchford chatted about his induction into the Songwriters Hall of Fame.

Entertainment

‘Inside Out 2’ is a rarity in animation as its child character actually ages, introducing new complicated emotions.

Tech & Science

Alex Jones is widely branded as a misinformation profiteer. - Copyright AFP Olivier DOULIERYMoises Avila with Anuj Chopra in WashingtonA US judge on Friday...