Sunday , July 20 2025

New rules to Reveal Cyber Attacks Within 4 Days

Securities and Exchange Commission (SEC) of United States has recently given its approval to groundbreaking regulations. These regulations oblige publicly traded companies to promptly disclose any significant cyberattacks within a maximum of four days of detection. This marks a significant departure from the previous method of disclosing computer breaches.

“Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors,” SEC chair Gary Gensler said. Public companies now offer cybersecurity disclosure to investors in great numbers. Making this disclosure in a consistent, comparable, and decision-useful manner would greatly benefit both companies and investors.

HPE alerts of hardcoded passwords in Aruba access points

Hewlett-Packard Enterprise (HPE) warns that Aruba Instant On Access Points have hardcoded credentials, enabling attackers to skip normal authentication and...
Read More
HPE alerts of hardcoded passwords in Aruba access points

Akira Ransomware Allegedly Compromise 12 Companies in 72 Hours

The Akira ransomware group increased its attacks, adding 12 new victims to its dark web portal from July 15 to...
Read More
Akira Ransomware Allegedly Compromise 12 Companies in 72 Hours

Singapore urgently engage military force to tackle ‘serious’ cyberattack

Defence Minister Chan Chun Sing said these select units will work with the Cyber Security Agency (CSA) in a united...
Read More
Singapore urgently engage military force to tackle ‘serious’ cyberattack

Hackers infect 10M Androids with BADBOX 2.0

Google is suing 25 unidentified cybercriminals thought to be from China for running BADBOX 2.0, a major global botnet with...
Read More
Hackers infect 10M Androids with BADBOX 2.0

Oracle Patched 200 Vulns With July 2025 CPU

Oracle's July 2025 Critical Patch Update includes 309 new security patches, with 127 addressing remotely exploitable vulnerabilities. SecurityWeek found about...
Read More
Oracle Patched 200 Vulns With July 2025 CPU

Ivanti Zero-Days Exploited to Drop MDifyLoader

Cybersecurity researchers have revealed a new malware named MDifyLoader, linked to cyber attacks using security vulnerabilities in Ivanti Connect Secure...
Read More
Ivanti Zero-Days Exploited to Drop MDifyLoader

CISA added Fortinet FortiWeb vul to KEV catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a crucial vulnerability in Fortinet FortiWeb in its Known Exploited Vulnerabilities...
Read More
CISA added Fortinet FortiWeb vul  to KEV catalog

Adoption Agency Exposes One Million+ Records

Security researcher Jeremiah Fowler discovered an online database exposing sensitive information from an adoption agency. Jeremiah Fowler Jeremiah specializes in...
Read More
Adoption Agency Exposes One Million+ Records

CVE-2025-20337
Patch Now! Cisco ISE bug allows pre-auth command execution

A critical vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE-PIC, identified as CVE-2025-20337, has a CVSS score of...
Read More
CVE-2025-20337  Patch Now! Cisco ISE bug allows pre-auth command execution

BD Bank Honours PABC Officials for Foiling $20 Million Cyber Fraud Attempt

On Tuesday, Bangladesh Bank organized a special award ceremony at its headquarters in Dhaka to formally recognize and honor a...
Read More
BD Bank Honours PABC Officials for Foiling $20 Million Cyber Fraud Attempt

In order to achieve this goal, the new requirements oblige companies to disclose not only the nature, scope, and timing of the iPlease simplify the text below, while retaining its main idea.

“Please provide a detailed report not only describing the incident, but also explaining its impact.” Disclosure may be delayed by up to 60 days if it is determined that providing specific information would endanger national security or public safety.

Registrants must provide an annual description of the methods and strategies used to assess, identify, and manage material risks from cybersecurity threats. They must also report on the material effects or risks resulting from these events, and provide information on ongoing or completed remediation efforts.

“The key word here is ‘material’ and being able to determine what that actually means,” Safe Security CEO Saket Modi told The Hacker News. “Most organizations are not prepared to comply with the SEC guidelines as they cannot determine materiality, which is core to shareholder protection. They lack the systems to quantify risk at broad and granular levels.”

The rules do not cover specific technical information about the registrant’s planned response to the incident, their cybersecurity systems, related networks and devices, or potential system vulnerabilities that could hinder their response or fixing of the incident.

Proposed in March 2022, this policy aims to enhance transparency regarding the threats that American companies encounter from cybercrime and nation-state actors. Its objectives include closing gaps in cybersecurity defense and disclosure practices, as well as strengthening systems against data theft and intrusions.

Kroll reports that Cl0p, a ransomware gang, has been on a cyber attack rampage, targeting over 500 companies. These attacks have been possible due to the gang’s exploitation of critical vulnerabilities in commonly used enterprise software. Furthermore, Kroll reveals that the threat actors have adopted innovative data exfiltration techniques, successfully stealing valuable information.

According to Amit Yoran, Tenable’s CEO and Chairman, the recently implemented regulations regarding cyber risk management and incident disclosure are not just accurate, but also represent a significant leap towards achieving enhanced transparency and accountability.

Yoran stressed the need to inform investors about an organization’s efforts in managing cyber risks. This is crucial because cyber breaches can have serious consequences and damage the organization’s reputation.

However, some people have expressed concerns about the tight timeframe, as it could potentially lead to inaccurate disclosures. This is because companies may need several weeks or even months to thoroughly investigate a breach. Furthermore, issuing breach notifications prematurely can potentially alert other malicious individuals to a vulnerable target and intensify security threats.

James McQuiggan, security awareness advocate at KnowBe4, acknowledged that the new SEC requirement of reporting cyber attacks or incidents within four days may appear aggressive at first glance. However, he pointed out that compared to other countries, this timeframe is actually more lenient.

“Within the E.U., the U.K., Canada, South Africa, and Australia, companies have 72 hours to report a cyber incident. In other countries like China and Singapore, it’s 24 hours. India has to report the breach within six hours.”

“Organizations should have clear and documented incident response plans that include communication plans, procedures, and requirements for involving relevant personnel,” explained McQuiggan.

Check Also

FortiWeb

CVE-2025-25257
Fortinet Addresses Major SQL Injection Flaw in FortiWeb

Fortinet has issued a critical patch for a critical vulnerability in its FortiWeb product, a …

Leave a Reply

Your email address will not be published. Required fields are marked *