When should the data breach clock start?

One of the most difficult issues in enterprise cybersecurity – something the US Securities and Exchange Commission is now openly struggling with it – when should an enterprise report a data breach?

The easy part is, “how long after the enterprise became aware of the breach should it be disclosed?” Different numbers have different compliance regimes, but they are relatively close, from 72 hours GDPR to the First four days of SEC.

The hard part is defining when any corporate entity “knows” if something has happened. At what precise moment does Walmart or ExxonMobil know anything? (If the language says “when the Chief Financial Officer of the enterprise is convinced that a data breach has occurred, this would be much simpler.”

To unravel this question of awareness, we must first break it down into two distinct aspects:

  1. What is reasonable evidence of a data breach?
  2. Who should decide on a data breach for a business? Security Operations Center (SOC) Leader? The CISO? The CIO? The CEO? A subset of the board? The whole board? Maybe he’s just the chairman of the board?

Let’s start with element one. With the exception of obvious attacks – such as a ransom attack where ransom money was received and proof of tampering – most attacks are gradual. Someone in the SOC finds an anomaly or something else suspicious. Is that enough to report? Almost certainly not. Then a more senior person in the SOC joins.

If things still look bad, report it to the CISO or the CSO. That executive might say, “You sold me. I must report this immediately to the CIO, the CSO and possibly the CEO. ” If so, the exposure phase has not yet been reached. Those other execs need to be weighed in.

Copyright © 2022 IDG Communications, Inc.

When should the data breach clock start?

Source link When should the data breach clock start?

Back to top button