Mitigating legal exposure. Companies impacted by a cybersecurity incident may face legal action from
            affected customers or investors.



            The Significance of Time and Materiality

            Historically, organizations have adopted incident reporting and response processes based on their own
            needs and requirements. Aside from general SOX (Sarbanes-Oxley Act) guidelines, there were no U.S.
            federal laws that required specific timeframes for companies to report material cybersecurity incidents to
            the public or regulatory authorities.

            The new SEC rules have dramatically changed the playing field by introducing the four-day incident
            reporting requirement. While ‘four days’ is very specific, when that count-down will actually begin has yet
            to be fully defined. Similarly, ‘materiality’ is also ambiguous. These ambiguities will create challenges
            during the early days of the regulations. Companies will need to document and execute against their
            definitions of time and materiality — testing not only their detection tools and workflows but their overall
            security governance.



            Interpreting the Rules: The Stakes Will Be High

            These grey areas are even more concerning, given the expectations of significant penalties for non-
            compliance. Security professionals predict that fines will be released shortly and may run into millions of
            dollars. As well, the list of non-compliance infractions may be quite comprehensive and could include
            issues such as:


            Losing or exposing secrets publicly in an open-source library (i.e., API keys). This may or may not be
            deemed a material infraction, depending on what access those keys provided.

            An executive laptop was lost or stolen with a live link session still logged in (e.g., SSO). This could be
            considered material, with an impact on investors.

            You detected a DDoS attack against your cloud-native retail application, and the system wasn’t available
            for a short time. Is five minutes of downtime material? How about three hours or three days?

            Until the regulations are interpreted and enforced over time and fines normalized, companies will need
            to err on the side of caution to avoid potential infractions and the resulting penalties.



            The Importance of Security Logs

            Security log analytics and management are critical to cybersecurity. Logs are the first things security pros
            examine if they suspect a cyber incident. To maximize their effectiveness, companies must quickly and
            efficiently capture log data in a central repository for monitoring and analysis. They also require best-in-
            class detection and response capabilities, a trained team, and a well-documented security operations





            Cyber Defense eMagazine – October 2023 Edition                                                                                                                                                                                                          34
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.