With significant changes in how businesses must comply with cybersecurity reporting and disclosure requirements, security leaders will begin considering the most efficient way their organizations can comply with the Dec. 18 rule in 2024. It will be. ruling.
The 11th hour shift in the final version is getting a lot of attention. This means that companies no longer need to disclose specific or technical information about incident response, systems, or potential vulnerabilities if it could impede their ability to respond or remediate.
Just weeks before this change, Republicans in both chambers of Congress introduced Congressional Review Act (CRA) resolutions to overturn the ruling. They say this requirement overlaps with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and will effectively create more work for an already resource-constrained cybersecurity workforce. I insisted.
Many in the industry agree, and also add that releasing sensitive compromised information publicly in the short term after a breach can increase exposure and risk before the problem is fixed.
And it’s natural for them to be wary. In November, a ransomware organization filed a “reporting violation” complaint against its victims with the SEC after a breach. This unprecedented move was a bold new move in which he held CISOs personally accountable in ransomware negotiations. This exposed a seam in the mission and showed that attackers could use it as an additional means to put pressure on their targets.
But are moves to abolish the obligation ultimately justified? It’s not that simple. He has two sides to every argument.
The controversy this ruling has sparked is understandable given that these rules address the complex question of who is actually the victim of an attack and who is responsible. Although the attacker is clearly at fault, the “victim” of the attack is often not the direct target, but other parties whose data the target holds.
Disclosure policies ideally exist to provide awareness and transparency for second-order impacts where you may not even know your data has been compromised. Without some sort of reporting requirement, data controllers will be forced to suppress information about attacks to protect their companies’ reputations and limit risk. Clear disclosure requirements increase the responsibility of these controllers to protect data and give potential secondary victims the awareness and time to take protective measures.
But at the same time, regulatory details are also very important. It is important that we all understand the very definition of an incident and what constitutes reporting thresholds. Security organizations often manage routine, low-risk events, referred to as incidents, during their day. Without clear boundaries on what constitutes a reportable incident, organizations will struggle with compliance. Worse, the very awareness you are trying to create with your reporting is diluted by a very low signal-to-noise ratio. If organizations report every possible incident all the time, it becomes virtually impossible for victims to determine which ones are actually important.
The big question is: Should this rule be eradicated or modified?
Many will use the recent weaponization of missions to push for change. But as long as the law has existed, intimidation has probably existed. Just because attackers may try to use reporting requirements to increase their influence or sense of urgency with victims, doesn’t mean reporting is bad in and of itself.
Certainly consider alternatives. Secondary victims whose data has been compromised by an attacker may simply have no knowledge of the incident and therefore may not even have the opportunity to take protective measures.
make the necessary changes
Security leaders must understand that they are no longer just considering security best practices, but also the federal legal responsibilities that govern disclosure decisions and plans. While this response provides greater flexibility in the disclosure process, security leaders are still struggling to make the transition from traditional, slower, more static governance approaches to the on-demand response to real-time data now required. You need to make a quick decision about how you can move quickly. .
Start with an audit of your existing security reporting process. Updated playbooks and corresponding training are just the beginning. Security team change management increases the likelihood that process changes will stick within the organization. Security teams need to understand how protocol changes bring their organizations into compliance and what those adjustments mean for their workflows as individuals and as a security team.
For CISOs, accepting the reality of quarterly or even weekly compliance reviews can greatly help compliance. The fastest way to adopt these changes is to create a platform that transparently and programmatically minimizes manual intervention, provides governance and monitoring of security-specific processes and workflows, and transparently documents each step. need to be introduced.
The sooner process accountability and transparency becomes the lifeblood of an organization’s security framework, the better prepared CISOs will be to manage future threats and the evolving rules designed to mitigate them. .
John Morello, Chief Technology Officer, Gutsy