Cyberattacks and data breaches have become increasingly common threats, with major incidents making headlines on a regular basis. This exposes weaknesses in cybersecurity infrastructure and causes economic and reputational damage to companies. Victims also grapple with understanding complex disclosure laws.
To address these problems, the Department of Justice (DOJ) recently released new guidelines to help provide clarity around cyber incident reporting obligations. This comes after past incidents revealed unclear requirements that hindered transparent disclosures.
Background on Disclosure Issues
The Securities and Exchange Commission (SEC) requires publicly traded companies to disclose material cybersecurity risks and incidents. However, the requirements lacked specificity on when and what needed disclosure after breaches. Companies struggled to interpret what constituted "materiality". As a result, major incidents either went undisclosed or were revealed after long delays.
In 2018, the SEC issued guidance to clarify these rules. However, companies still found requirements ambiguous, especially around providing updates. DOJ aims to build on the SEC guidance to further aid cyber breach victims.
Key Details from the DOJ Guidelines The new guidelines provide direction to organizations that fall victim to cyberattacks on interpreting disclosure laws. This includes insights on:
- Determining materiality of incidents
- Navigating disclosure exceptions and timing
- Understanding what updates need to be provided
- Deciding what details to disclose while protecting sensitive information
The guidelines also offer examples of previous major breaches and how disclosure decisions should have been made in those cases.
Additionally, accompanying FBI guidance assists victims in handling investigations and engaging with law enforcement regarding incidents.
Expected Impact These guidelines signify an important step toward more transparent public reporting around cyber events. By clarifying fuzzy areas of disclosure laws, they provide victims a clearer roadmap on handling communication. This should lead to timelier notifications on breaches when warranted.
More clarity may also help rebuild public trust after high-profile incidents where lack of updates frustrated customers and partners. Open sharing of cyber threats also allows industry and government to better understand problems and develop systemic solutions.
The ability for companies to have more certainty around disclosures facilitates increased diligence around cyber risks. It also puts more pressure on organizations to invest in robust security, while giving victims a framework for responsible public updates.
This news is a reminder that no organization is immune to hacking. Businesses and individuals need to be vigilant and take steps to protect their data. Some of the best ways to protect yourself from hacking include using strong passwords, enabling two-factor authentication, and keeping your software up to date.
In a hybrid work world, an effective balance between flexibility, productivity, and robust cybersecurity measures is crucial. Without it, businesses face a ticking time bomb of security threats. As businesses continue to navigate the challenges of the hybrid work model, partnership with a skilled MSP is no longer a luxury but a necessity to stay secure and in business. Protecting yourself is getting tougher but must be done to keep your business or government agency, school, state, city, etc. running. Ask the Hybrid Work Experts at Apex Technology Services about how they can help your organization stay secure.