19 comments

[ 2.8 ms ] story [ 58.8 ms ] thread
I'm in favor of mandating disclosure. I wish they hadn't limited it to the vague 'has material impact' definition.

Under that rule if a company is being DDOSed constantly but their network is successfully mitigated against it presumably they wouldn't need to disclose it.

But it would be in the general good of the public to be able to track these events, what their source is, etc.

At least this is a step in the right direction.

On some level I'm inclined to agree, but there is a point to be made here that sufficiently large targets are attacked virtually 24/7 and reporting all of those may result in burying legitimate threats in the noise.
Even a silly blog I linked on HN a couple of times has gotten attacked 24/7 for a couple years. I still get requests with log4j injection attacks. Pretty sure any IPv4 address and any registered domain will get attacked regularly, especially if it's hosting something - anything. Heck, I pinged every IPv4 addresses in 2012.
Why would I need to disclose an attack that did nothing? I work at a financial, and someone, somewhere, is trying to DDoS us all the time. Should we be publishing "yup, same as yesterday, people are trying to put us off line" every single day? And I have worked in several other DDoS attracting industries (European sports betting? OMFG so much DDoS). What is the "general good of the public to be able to track" when it is literally happening all the time?

Next you'll want us to provide reporting on port scanning.

> Next you'll want us to provide reporting on port scanning.

Yeah I'll get right on that. You can read the database yourself. ;-)

Not sure why you would need to report DDoSs anyways...
Material impact is the same guidance for non-cyber incidents. So it seems well established. The alternative would be a govt list of incidents and you would be complaining that we need a less brittle way of disclosure because the list is always 5 yrs behind.

It isnt the SECs job to track that data. Its the SECs job to ensure companies are not lying to the point they're defrauding their owners. Take the complaint to the correct agency and let this one do its job.

The cynic in me says this will incentivize execs to avoid starting the clock:

SRE: It looks like someone might be exfiltrating data from our network.

CISO: I doubt that. Look into it on Monday.

SRE: Today is Tuesday...

CISO: Look into it on Monday, we've got more important things to worry about. If you'll excuse me, I need to call some old frat-mates about their trading portfolios.

This isn't as good of a thing as you think. Instead of focusing on finding out the scope of the compromise and making sure the threat actors are contained and can't easily compromise again, incident responders will ger pressures to focus on answering questions about who gets notified. They should be given enough time to thoroughly respond to it and then notify everyone that needs notifying.

Having to dedicate resources to scour through compromised data for pii instead of for forensic evidence before you even contain/eradicate a threat only helps threat actors. The public does not benefit from bad or inefficient incident response.

I am sure HN crowd will get that this isn't something you can just throw manpower/bodycount at either to get a faster response. It takes as long as it has to take.

> This isn't as good of a thing as you think. Instead of focusing on finding out the scope of the compromise and making sure the threat actors are contained and can't easily compromise again, incident responders will ger pressures to focus on answering questions about who gets notified.

Huh? These new SEC rules are about 100% public notifications in 100% public SEC filings, unlike many state data breach laws. If a bit of information falls within the new SEC rules, literally anyone in the world who wants to look at the company's SEC filings gets to see the notification.

Nothing about this requires scouring through compromised data for pii before fixing the problem, because who gets notified under this rule does not depend on who was affected - the notification recipient is the whole world.

> They should be given enough time to thoroughly respond to it [...] It takes as long as it has to take.

Indeed, and the actual SEC rule is much more in line with what you're saying than the very misleading headline of this article. The actual rule requires them to notify (via public SEC filing) within four business days of determining that the cybersecurity incident is material, and that they must make the materiality determination without unreasonable delay after the incident. (There are other exceptions for e.g. delays warranted for national security reasons.)

So, if somehow it takes 5 business days after incident discovery to realize it's material because initial investigations which were not unreasonably delayed genuinely make it appear to be a tiny incident, and then a much larger impact is eventually determined, notifying within 9 business days of discovering the incident complies with this rule.

The article title is also misleading in other ways: aside from the difference between 4 business days and 4 calendar days, it's not true that the SEC "now requires" anything new. The rule won't have any effect before mid-December 2023, and some bits won't apply to smaller companies before mid-2024.

A much more accurate press release from the SEC, previously discussed on HN yesterday: https://www.sec.gov/news/press-release/2023-139

What exactly is "material", you scour pii to determine that. Malware infections are very common in big orgs, pii loss, secret data loss or service impact are the big ones to determine severity of an incident post compromise.

If they have 10 hypervisors ransomwared, is that material? If they had 1000 vms on them does that change? If half the company stopped work for a day does that matter? If there was no pii or secrets on the 1000vms is it still material?

The push to determine that before investigation concludes to avoid the risk of being accuses "you knew about it long before notifying" and explain in court materiality took time to determine is a big legal liability/issue.

The definition of material is the standard SEC definition of material nonpublic information and is not inherently linked to any of the hypotheticals you listed, except indirectly. It’s basically, would this significantly affect the stock price if investors were to hear about it? Executives at a public company should already be used to making that judgment call, and the only new thing as to materiality is that employees leading cybersecurity investigations at public companies will have to properly inform those executives in a timely manner.

This rule is not telling companies they have to rush to determine materiality - in particular, time from discovery of the incident is not what the four days in the article headline are referring to. The rule simply requires them to determine materiality “without unreasonable delay” after discovery of the incident. Only after such a materiality determination do the four business days kick in as a notification deadline.

So, if the delay is reasonable, then by definition it complies to take that long. In particular, a delay that is necessary to avoid disrupting a proper investigation would very likely be considered as reasonable. The company might have to be prepared to explain why both processes couldn’t overlap if the investigation stretches on a long time and no materiality determination has occurred, but okay, that’s fair enough to require.

The point of the “without unreasonable delay” restriction is because, without it, companies would just refuse to determine materiality ever, or they might do it slowly enough that the evidence necessary to declare materiality will usually have vanished, or similar bullshit. It’s to forbid circumventing the intent of the rule by sticking one’s head in the sand.

Dude just go look up the new k-8 item. Its like 4 questions . What happened, when did it start, is it stopped, and what are you doing about it? This new requirement changes nothing except they have to report the incident. Nobody stops working the issue just because this report is made.
Dude, read what I said again. It is what happens leading up to that report that I have an issue with. No matter what, it will affect stock prices! Don't tell me there is no pressure to make presumptions or interpret incomplete data , the stock drops and it turns out you were wrong and it's too late.
It seems that "cyberattack" will eventually replace "hacking" as the go-to word for every computer problem faced by a C-Suite sexagenarian.