One of the toughest issues in corporate cybersecurity, one that the US Securities and Exchange Commission is openly wrestling with, is when should a business report a data breach?
The simplest part is, "how long after the company becomes aware of the breach should it disclose?" Different compliance regimes have different numbers, but they are relatively close, from the 72 hours of the GDPR to the first four days of the SEC.
The hard part is defining when a corporate entity really "knows" that something has happened. When exactly did Walmart or ExxonMobil find out? (If the language said "when the CFO of the company is satisfied that a data breach has occurred" it would be much simpler.)
To understand this problem of consciousness, we must first break it down into two distinct elements:
Let's start with the first element. With the exception of obvious attacks, such as a ransomware attack where a penetration-tested ransom was received, most attacks occur gradually. Someone in the SOC detects an anomaly or something suspicious. Is it enough to report? Almost certainly not. Then someone higher up in the SOC gets involved.
If things still look bad, this is reported to the CISO or CSO. This leader might say, “You betrayed me. I need to report this immediately to the CIO, CFO and possibly the CEO. If so, you have not yet reached the disclosure stage. These other leaders should weigh in.
However, the CISO/CSO will most likely respond by saying something like, “You haven't figured it all out yet. It will always be one of hundreds of different things. Look at some backups, do comparisons, check the dark web for some confirmation. Keep researching.
Does the clock start already? Again, probably not. A company cannot report all cybersecurity investigations. The level of evidence required to justify public disclosure is high. After all, shame on the poor executive who reports a violation that turns out to be nothing.
Another factor: Most cyberthieves and cyberterrorists are great at hiding their tracks and leaving misleading clues. Mono with logs is common, meaning IT security can only trust logs so far, at least initially. Remember how many times the first forensic report differs significantly from the second forensic report. It just takes time, even for experienced forensic investigators, to separate the truth from whatever misleading attackers leave behind.
As for the second, who decides who should make the final decision in the event of a data breach? An argument can be made for the best cybersecurity expert (presumably the CISO/CSO) or the most responsible people in the company (CEO or board of directors), but for some companies the Chief Risk Officer may be a good candidate.
Does each company choose for itself? Should regulators decide? Or should regulators let each company decide for themselves who the contact person will be and report that title to regulators?
Jim Taylor, product manager at cybersecurity vendor SecurID, says the trigger should occur directly in the SOC. “The fact that something hits your fence is not a trigger. Maybe it's the lead analyst, maybe it's the lead of the SOC,” Taylor said. "There has to be a fault, a responsibility for these things."
But having to make a decision too soon can be problematic. Report a violation early and you're in trouble. Report a violation too late and you're in trouble. "You're damned if you do and damned if you don't," Taylor said.
The truth is that this is difficult and it should be. Every violation is different, every business is different, and rigid defining rules are likely to create more problems than they solve.
“The nature of how the breach occurred is an important factor in knowing when to disclose it,” said Alex Lisle, CTO at Krytowire, another cybersecurity firm. "If you think about it long enough to hire a forensics team, then you should seriously consider reporting it."
There was a great line on the old TV show "Scrubs" where a doctor in charge of a testing lab asks someone who wants to retest, "Do you think I was wrong or do you hope I was wrong?" . This line can often come into play when multiple people are trying to determine if the company has really been hacked. Does the team somehow know they were targeted and hope further investigation will disprove this? Or does the team really not know?
That's where a designated noncompliance determination officer should step in, based on experience and, honestly, strong intuition. Some parts of cybersecurity are pure science. Making a decision very early on whether data has actually been affected often isn't.
Copyright © 2022 IDG Communications, Inc.