Governments are considering measures to improve the reporting and compliance standards of security incidents for each organizations. After decades of private-sector organisations being left to deal with cyber incidents on their own, the ramifications of cyberattack incidents have spread across societies and borders thus a tipping point has been reached in the cybersecurity industry. Governments are considering new laws and regulations which would be some stringent measures. Lawmakers don’t have a firm grasp on the technology they’re aiming to control and often struggle to regulate that particular technology. The consequences, impacts, and uncertainties on companies are not realized until after the fact.
The Federal Trade Commission, Food and Drug Administration, Department of Transportation, Department of Energy and Cybersecurity and Infrastructure Security Agency are all working on new rules. 36 states enacted new legislation for cybersecurity in the year 2021. China and Russia have data localization requirements, India has CERT-In incident reporting requirements, and the EU has its own incident reporting.
What are some unknown facts in the mechanism of reporting a cyberattack
Companies should now have more focus on the kinds of regulations that are being considered, ascertain the uncertainties and potential impacts, and prepare to act now. We don’t know a lot about cyber attacks. Most cybersecurity attacks are not required to be reported due to the fact that the regulations are focused on privacy. Private information, such as names and credit card numbers, must be reported if they are stolen. In other cases such as Colonial Pipeline shut down it wasn’t required to report because no personal information was stolen but however it is difficult to keep things secret when there were thousands of gasoline stations left without fuel. It is almost impossible to know how many cyberattacks there are and what form they take. Some say only 25% of incidents are reported, others say only 18%, and so on. We don’t know what we don’t know, that’s the truth this is a very bad situation. Peter Drucker said: “If you can’t measure it, you can’t manage it”
New ways of reporting such incidents after the amendment
Governments have decided that this approach is not viable. In the United States, for instance, the White House, Congress, the Securities and Exchange Commission (SEC), and many other agencies and local governments are considering, pursuing, or starting to enforce new rules that would require companies to report cyber incidents.
To a great extent, these are recommendations inspired by improvements in the safety of aircraft that crashed, in addition to requiring them to file a report so future mistakes can be avoided. These regulations have been in place for years, in response to crashes such as the Germanwings Flight 9525 crash, in which co-pilot Andreas Lubitz deliberately flew the Airbus A320 supersonically.
A similar requirement for cybersecurity seems very reasonable. Someone who helps an employee hack a system from their personal computer seems like a cybersecurity threat. However, the boundaries of cybersecurity, unwelcome as they may be, are much less clear than the near misses of two aircraft. A cybersecurity incident is something that could lead to a cybersecurity breach, but does not need to have become an actual cybersecurity breach.
Companies are trying to navigate the legal gray area. A web user shouldn’t get denied login because the password is not accepted – that’s not really an imminent threat. A phishing email is not a legitimate email from a trusted source. What about someone trying to log in to the system but is denied because the password is not accepted? What if an invasive attacker is recruited and their collaboration is discovered and expelled, but there is no damage? These are the questions firms need to answer in light of the legal precedent.
Effective measures to be implemented
Companies and regulators have to strike a balance and need to report meaningful incidents in a timely manner if they want to be safer. There are nearly 200,000 known vulnerabilities in the National Vulnerability Database, but only a small number of them are being exploited in cyberattacks. Companies can prioritize addressing these vulnerabilities by knowing about such kind of attacks. A large company might be required to report thousands of incidents per day, even if most were ignored or repelled, they use an overly broad definition. The agency that would need to process and make sense out of such a large amount of reports would have an enormous burden on themselves. International companies will need to navigate the different reporting standards in the European Union, Australia, and elsewhere, including how quickly a report must be filed, whether that’s six hours in India, 72 hours in the EU, or four business days in the US.
How the organisation’s need to prepare for the incoming set of regulations?
Make sure that their procedures are up to date. Companies that are subject to SEC regulations need to quickly define “materiality” and review their current policies and procedures for determining whether “materiality” applies in light of these new regulations. If decisions must be done frequently and quickly, they will need to revise them.
Organistaions must stay up to date on the security policies
Regulations are being formulated to make it a crime to pay for a ransomware attack. They have to consider the changes to cyber security policies that are getting formulated, and a policy such as cooperating with a ransomware to mitigate the risks should be carefully reviewed. Many companies didn’t know about the log4j vulnerability because they would have bundled other software with the log4j vulnerability. The proposed regulations would require companies to maintain a detailed and up-to-date “Software Bill of Materials” so they can quickly and accurately know all the different pieces of software embedded in their complex computer systems. Significant changes to the way that software is developed and acquired in your company may be required if you are going to opt for an sboM. Management should review the impact of these changes. Someone, or quite likely a group of individuals in your company, must review the new or proposed regulations and evaluate the impacts they will have on your business. Although the regulations are unlikely to be just technical details left to your information technology or cybersecurity teams, they will have wide-ranging implications and could significantly impact many of your policies and procedures. Remember, these are almost never just technical details – the impact you may realize will also involve the company changing a policy or a new rule that will be implemented en masse throughout your organization. Typical improvements that should be pursued are balancing the risks associated with various implementations, as discussed.