Sunday, June 2, 2024

3 Key Golden Ways To Keep Up With The SEC Cyber Rules

 


There are many buzzwords floating about in the world of Cybersecurity today, and of the biggest ones that has stayed around is “Risk”.  This term applies to all parts of our lives, and people have different ways of actually defining it. 

For example, in the workplace, it could mean going above and beyond the call of duty to show your manager what you can do.  Or personally, it could mean doing something is anxiety provoking, but you are still going to do it to face your fears.

Even in Cyber, businesses, and heck even the Federal Government have different ways of defining it.  But, I have written a lot on this topic (in fact, even an entire book), and the way I think of it is this:  “The amount of downtime that a business can withstand after becoming a victim of a security breach”. 

The true measure of this though, is in the dollar amount.  For instance, an SMB could not afford much downtime, but a much larger one, like a Fortune 100, probably could.

But however you define Risk, it is certainly catching the attention of Cyber professionals across all levels.  So much so, even the SEC has now intervened and mandated that publicly traded companies must disclose if they are a victim of a security breach within a matter of days.  The exact text of this can be seen at the link below:

http://cyberresources.solutions/blogs/SEC.pdf

Under these new rules, a publicly traded company must report within four days not only if they have been impacted by a security breach, but also, if there have been any data leakages that may have occurred has a result.  The main intention here is not only to protect shareholders and employees, but to keep a sense of calm amongst the financial markets in case something did actually happen.  To give you a sense of reality of just how seriously the Federal Government takes this ruling by the SEC, the following incidents have been brough into the crosshairs for the Feds:

1)     Clorox:

They were impacted by a security breach in August of 2023.  The damage was far reaching, as it greatly affected the company’s supply chain.  The cost of the attack has been estimated to be as high as $65 million, which a lot can be attributed to legal and forensic exam expenses.  The worst part of this is that Clorox knew it had grave vulnerabilities in their IT/Network Infrastructure for many years before they were impacted.  More details on this can be seen at the link below:

https://www.bloomberg.com/news/articles/2024-03-26/clorox-audit-flagged-systemic-flaws-in-cybersecurity-at-manufacturing-plants?embedded-checkout=true

2)     Prudential:

They were hit with a security breach in February of this year.  Fortunately, not much damage was done in the end, and the good news here is that the company actually reported this in time, pursuant to the SEC rules of disclosure.  Apparently, the Cyberattacking group was able to penetrate into the IAM system of Prudential, and from there, was able to exfiltrate over 36,000 PII datasets.  What was unique about this is that Prudential actually reported this incident before it discovered the loss of the datasets. More information about this can be seen at the link below:

https://therecord.media/prudential-discloses-new-information-from-february-incident

3)     United Health:

They too suffered a massive security breach in February of this year.  The source of the attack was attributed to a nation state actor (such as Russia, China, North Korea, etc.).  The impact of this breach was far reaching, as it impacted over 30 million people who rely upon United Health insurance to pay for their medical expenses.  Even healthcare professionals were impacted as well.  Right now, the company faces at least 24 separate lawsuits, and costs that could very well exceed $1.6 billion.  Apparently, although the company did not publicly disclose this, they paid $22 million to the hacking group in order to get some control back over their IT/Network Infrastructure.  More details about this can be found at the link below:

https://www.forbes.com/sites/noahbarsky/2024/04/30/unitedhealths-16-billion-tally-grossly-understates-cyberattack-cost/?ss=cybersecurity&sh=1dabfb395aab

My Thoughts On This:

Apart from abiding by the tenets and provisions that have been established in the SEC ruling, as just reviewed, companies need to take a much more proactive stance to help mitigate the risks of them being impacted by a security breach

Ø  Keep a constant vigilance:  In this regard, make use of a SIEM and other Generative AI tools that will help monitor all of your log files on a real time basis.  Most importantly, they will be able to filter through all of the false positives, so that only the real and legitimate ones are presented to your IT Security team.

 

Ø  Always be transparent: Apart from reporting to the SEC, as a CISO, you must take responsibility for keeping all of the key stakeholders informed of what is happening.  This will save you great pain down the road if you are also faced with an audit by the GDRP, CCPA, HIPAA, etc.

 

Ø  Share your intelligence:  The Cyber community is finally starting to realize that it literally “takes a village” in order to keep the Cyberattacking groups at bay.  But in order for this to happen, you have to share whatever intelligence you gather with both the private and public sectors (such as DHS, CISA, the FBI, etc.).

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...