Sunday , December 1 2024

New rules to Reveal Cyber Attacks Within 4 Days

Securities and Exchange Commission (SEC) of United States has recently given its approval to groundbreaking regulations. These regulations oblige publicly traded companies to promptly disclose any significant cyberattacks within a maximum of four days of detection. This marks a significant departure from the previous method of disclosing computer breaches.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC chair Gary Gensler said. Public companies now offer cybersecurity disclosure to investors in great numbers. Making this disclosure in a consistent, comparable, and decision-useful manner would greatly benefit both companies and investors.

Workshop on “DDoS use cases & solutions for government & BFSI” held at BCS

A workshop on "DDoS use cases & solutions for government & BFSI" held at Bangladesh computer society premises on Saturday...
Read More
Workshop on “DDoS use cases & solutions for government & BFSI” held at BCS

Uganda confirms hack of central bank accounts, Refutes $17 Million Claim

Uganda’s finance ministry confirmed media reports that hackers breached the central bank’s systems and stole money, but refuted the claims...
Read More
Uganda confirms hack of central bank accounts, Refutes $17 Million Claim

CVE-2024-11667
Hackers actively exploiting Zyxel firewall to deploy Ransomware

CERT Germany and Zyxel have alerted about a serious vulnerability in Zyxel firewalls, identified as CVE-2024-11667. This flaw is being...
Read More
CVE-2024-11667  Hackers actively exploiting Zyxel firewall to deploy Ransomware

Daily Security Update Dated: 29.11.2024

Every day a lot of cyberattack happen around the world including ransomware, Malware attack, data breaches, website defacement and so...
Read More
Daily Security Update  Dated: 29.11.2024

CIRT-in flags Critical Flaw in Oracle Agile PLM Framework

CERT-In has flagged a security vulnerability in Oracle’s Agile Product Lifecycle Management (PLM) software, identified as CVE-2024-21287 and cataloged as...
Read More
CIRT-in flags Critical Flaw in Oracle Agile PLM Framework

Microsoft patches four vulnerabilities in its services

On November 26th, Microsoft patched four vulnerabilities detected in Dynamics 365 Sales, the Partner.Microsoft.Com portal, Microsoft Copilot Studio and Azure...
Read More
Microsoft patches four vulnerabilities in its services

Data broker exposes 600K+ passwordless sensitive files online

SL Data Services/Propertyrec, an information research provider exposes a non-password-protected database containing more than 600K records according to the security...
Read More
Data broker exposes 600K+ passwordless sensitive files online

Cloudflare logs faces major failure, losing 55% of user data

Cloudflare suffered an incident roughly 3.5 hours On November 14, 2024 impacting the majority of customers using Cloudflare Logs. Cloudflare...
Read More
Cloudflare logs faces major failure, losing 55% of user data

VMware Patched critical flaw in Aria Operations

VMware revealed several critical vulnerabilities in its Aria Operations product, with the most severe allowing attackers to gain root user...
Read More
VMware Patched critical flaw in Aria Operations

HDFC Life hit by data breach, begins investigation

On Monday, Indian HDFC life insurance said, They got some instances of data leaks. "We have received communication from an...
Read More
HDFC Life hit by data breach, begins investigation

In order to achieve this goal, the new requirements oblige companies to disclose not only the nature, scope, and timing of the iPlease simplify the text below, while retaining its main idea.

“Please provide a detailed report not only describing the incident, but also explaining its impact.” Disclosure may be delayed by up to 60 days if it is determined that providing specific information would endanger national security or public safety.

Registrants must provide an annual description of the methods and strategies used to assess, identify, and manage material risks from cybersecurity threats. They must also report on the material effects or risks resulting from these events, and provide information on ongoing or completed remediation efforts.

“The key word here is ‘material’ and being able to determine what that actually means,” Safe Security CEO Saket Modi told The Hacker News. “Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels.”

The rules do not cover specific technical information about the registrant’s planned response to the incident, their cybersecurity systems, related networks and devices, or potential system vulnerabilities that could hinder their response or fixing of the incident.

Proposed in March 2022, this policy aims to enhance transparency regarding the threats that American companies encounter from cybercrime and nation-state actors. Its objectives include closing gaps in cybersecurity defense and disclosure practices, as well as strengthening systems against data theft and intrusions.

Kroll reports that Cl0p, a ransomware gang, has been on a cyber attack rampage, targeting over 500 companies. These attacks have been possible due to the gang’s exploitation of critical vulnerabilities in commonly used enterprise software. Furthermore, Kroll reveals that the threat actors have adopted innovative data exfiltration techniques, successfully stealing valuable information.

According to Amit Yoran, Tenable’s CEO and Chairman, the recently implemented regulations regarding cyber risk management and incident disclosure are not just accurate, but also represent a significant leap towards achieving enhanced transparency and accountability.

Yoran stressed the need to inform investors about an organization’s efforts in managing cyber risks. This is crucial because cyber breaches can have serious consequences and damage the organization’s reputation.

However, some people have expressed concerns about the tight timeframe, as it could potentially lead to inaccurate disclosures. This is because companies may need several weeks or even months to thoroughly investigate a breach. Furthermore, issuing breach notifications prematurely can potentially alert other malicious individuals to a vulnerable target and intensify security threats.

James McQuiggan, security awareness advocate at KnowBe4, acknowledged that the new SEC requirement of reporting cyber attacks or incidents within four days may appear aggressive at first glance. However, he pointed out that compared to other countries, this timeframe is actually more lenient.

“Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours.”

“Organizations should have clear and documented incident response plans that include communication plans, procedures, and requirements for involving relevant personnel,” explained McQuiggan.

Check Also

flowchart

Cloudflare logs faces major failure, losing 55% of user data

Cloudflare suffered an incident roughly 3.5 hours On November 14, 2024 impacting the majority of …

Leave a Reply

Your email address will not be published. Required fields are marked *