Crooks pwned your servers? You've got four days to tell us, SEC tells public companies Public companies that suffer a computer crime likely to cause a "material" hit to an investor will soon face a four-day time limit to disclose the incident, according to rules approved today by the US Securities and Exchange Commission. The SEC proposed the changes last March, and on Wednesday the financial watchdog voted to …
The phrase "Without reasonable delay" sorta seems like it should be "Without UNreasonable delay". The timeline is also exceptionally tight if there is a reason that delaying means needing to get permission from any Attorney General's office. They don't often check their emails and it's hard to find a valid address for them in the first place that won't just generate a form letter in response and naught else.
The other question is what they should report. Teams would first want to identify the path that somebody used to get in, get that patched right away, sort out what might have been compromised and get notifications to affected parties before all of this hits the news. I get it, companies have been waiting months and months before a news of a big exploit is leaked and the company is forced to own up. But, 4 days?
So it will become a box-ticking exercise.
Once somebody posts a "we detected a possible attack and are investigating the impact" statement and it's accepted by the SEC it will become precedent and so everyone will just submit the same statement every time there is a hit on their firewall
It's like how after 9/11 banks were made to report suspicious transactions and so just flagged almost everything because there were massive penalties for not reporting, but no follow-up if they did
"a company can delay filing this report with the SEC if the US Attorney General determines that openly disclosing the intrusion immediately would pose a major risk to national security or public safety"
How is the Attorny General able to make a decision if the company is delaying its filing ?
Does it mean that a company should contact the Attorny General immediately and get a decision before deciding to delay the SEC filing ?
Good question. I'd have thought any company that poses a risk to either would know they were in that position, by virtue of their operations being of a national security or public safety issue, and therefore have been granted such a dispensation in advance.
Of course, that would never be abused to delay a filing if the intrusion didnt involve a different, unrelated, part of the operations, would it..
Before full analysis of a breach can be completed the cause is deemed "not fully understood". Shirley the assumption must be that it could (ie. will) impact national security and/or public safety - to assume otherwise would be remiss. Reveal a zero day? But, nah! Four days...
And "national security" --- what about the security of your sister nations, the internet as a whole? "Meh, fuck it!"
A great example of knee jerk regs by those wanting to look like they're doing their bit and... and.... aaaargh!!
Perhaps report, but don't publicise FFS.
[Edit: I see others have posted similar, didn't read down, apols for the hijacking.]
El Reg works for the Feds!
The rules, which take effect 30 days after being signed into the Federal Register later this year, will require publicly traded firms to openly disclose in a new section (Item 1.05) of Form 8-K any cybersecurity incident that has a material impact on their business.
"any cybersecurity incident that has a material impact on their business."
That's poorly worded. Often, an attack has a material impact on the company's customers through the release of PII, credit card numbers, inventory of purchases, etc. The company itself may not have had any of its business data stolen (accounting, bank account numbers, executive private contact information, unreleased digital assets, marketing plans, etc).
If recent post-mortems are anything to go by, then it is not unusual for it to take more than four days to even stop an active attack. And certainly more to determine the scope of the damage. I am certainly a fan of full and early disclosure, but this feels...premature.
And yes, likely to make a stock choppy, which is really bad for average investors.
Insiders have huge restrictions on when they can trade. They cannot call their broker and sell today. They have to schedule their transactions in advance, cannot coincide with earnings announcements, etc. The further inside they are the longer the lead time and the more the restrictions.
A better policy would be a mechanism to suspend any new insider trades from being scheduled once an attack is internally uncovered.
That happens and works, but regulators look for it and, if they find out, they will punish everyone in the group. Insider trading that goes that way usually leads to tax fraud because you can't explain how you came by the profits of that trade*, and that means that not only will the tax authorities be looking for it, but if you're caught, you'd likely be charged with tax evasion or money laundering in addition to insider trading. So yes, it can be done, but it's risky to attempt.
* The person who engages in the trade can explain their profits and pretend they didn't know about the internal information. The person who leaked that information, on the other hand, will have to be paid off by that person somehow. If they just buy expensive stuff for the original source, it would be a lot of assets that they didn't earn, and if they pay it in cash, then the tax authorities will expect an explanation of why because it will affect how it is taxed. Not perfect, but it does work.
.....so.....the bad guys were exfiltrating data from Equifax for MONTHS......before someone at Equifax woke up!
So.....four days after they woke up! Pathetic, really.
What is needed is jail time for people who were (and are, elsewhere, today) asleep at the wheel for MONTHS!
Link: https://en.wikipedia.org/wiki/2017_Equifax_data_breach
Does always make me wonder why they suddenly notice "data was accessed" long after the event, assuming it was a one off swipe, rather than an ongoing event.
If it comes down to reviewing access logs, thats really quite terrible.
Yes, that is often it. The malicious party was able to impersonate someone with access and access data in quantities small enough not to set off alarms, or if they're better at the job they disabled the alarms. The main way to figure out what happened is to go into the logs and look at what happened when you know that represented an external attacker, not an internal authorized person or system. More alarms would be useful, and some places are certainly guilty of not having them when they needed them, but sometimes they were there and the attacker managed to bypass them at the time.
"asleep at the wheel for MONTHS!"
For much longer than that in fact. The first problem was that, even when alerted to the hazard and provided with a fix in good time, they couldn't find the vulnerable service because there was no centralised inventory to refer to and the list of "responsible parties" was not up to date. The second was that they'd let the decryption certificate on their traffic filter appliance expire so it passed the attack and the exfiltration unchecked. Third, they'd allowed someone to store a plaintext list of server credentials on one of the first servers to be breached, permitting the attack to spread. I'm not sure what else they could have done to ensure they were vulnerable -- not just to this attack but to pretty much anything thrown at them. The underlying cause was a business policy -- prioritisation of service acquisitions over their proper integration and security management.
"Hi. We would like to offer you a job in InfoSec. You will be defending our company from all known & unknown cyber security threats and attacks."
"Sounds good. When do I start?"
"As soon as possible. Your predecessor just got hauled off to jail because the bad guys got lucky once. We not only made sure his Career Is Over, we ruined his life too. He was a good chap and did the best he could with the budget we gave him. You see, the government has to punish someone, and since they cannot catch the bad guys they now punish the good guys instead."
"Isn't that like shooting the goalie every time the opposing team scores a point? No thanks, I'll pass on this job."
That happens when it seems possible to get away without reporting and the onus is pushed onto the cyber security director to take responsibility, and the cyber security director accepts it. The case of Uber and Joseph Sullivan, along with strong whistleblower laws, should fix that.
"First: get educated about key topics
Second: engage with the CISO and other C-Suite leaders to better understand security gaps and resource needs
Third: "Stay informed about ongoing reporting activities, ask questions, and work with the CISO and other leaders to understand cyber risk metrics"
That's a summary of what ISO 27001 clause 5.1 "Leadership and commitment" says, but it hasn't apparently had much general effect so far. The average time to detection for security breaches is still in the order of several months, so it's hard to see how this new regime is going to work in practice.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
