Under that rule if a company is being DDOSed constantly but their network is successfully mitigated against it presumably they wouldn't need to disclose it.
But it would be in the general good of the public to be able to track these events, what their source is, etc.
At least this is a step in the right direction.
Next you'll want us to provide reporting on port scanning.
Yeah I'll get right on that. You can read the database yourself. ;-)
It isnt the SECs job to track that data. Its the SECs job to ensure companies are not lying to the point they're defrauding their owners. Take the complaint to the correct agency and let this one do its job.
Having to dedicate resources to scour through compromised data for pii instead of for forensic evidence before you even contain/eradicate a threat only helps threat actors. The public does not benefit from bad or inefficient incident response.
I am sure HN crowd will get that this isn't something you can just throw manpower/bodycount at either to get a faster response. It takes as long as it has to take.
Huh? These new SEC rules are about 100% public notifications in 100% public SEC filings, unlike many state data breach laws. If a bit of information falls within the new SEC rules, literally anyone in the world who wants to look at the company's SEC filings gets to see the notification.
Nothing about this requires scouring through compromised data for pii before fixing the problem, because who gets notified under this rule does not depend on who was affected - the notification recipient is the whole world.
> They should be given enough time to thoroughly respond to it [...] It takes as long as it has to take.
Indeed, and the actual SEC rule is much more in line with what you're saying than the very misleading headline of this article. The actual rule requires them to notify (via public SEC filing) within four business days of determining that the cybersecurity incident is material, and that they must make the materiality determination without unreasonable delay after the incident. (There are other exceptions for e.g. delays warranted for national security reasons.)
So, if somehow it takes 5 business days after incident discovery to realize it's material because initial investigations which were not unreasonably delayed genuinely make it appear to be a tiny incident, and then a much larger impact is eventually determined, notifying within 9 business days of discovering the incident complies with this rule.
The article title is also misleading in other ways: aside from the difference between 4 business days and 4 calendar days, it's not true that the SEC "now requires" anything new. The rule won't have any effect before mid-December 2023, and some bits won't apply to smaller companies before mid-2024.
A much more accurate press release from the SEC, previously discussed on HN yesterday: https://www.sec.gov/news/press-release/2023-139
If they have 10 hypervisors ransomwared, is that material? If they had 1000 vms on them does that change? If half the company stopped work for a day does that matter? If there was no pii or secrets on the 1000vms is it still material?
The push to determine that before investigation concludes to avoid the risk of being accuses "you knew about it long before notifying" and explain in court materiality took time to determine is a big legal liability/issue.
SRE: It looks like someone might be exfiltrating data from our network.
CISO: I doubt that. Look into it on Monday.
SRE: Today is Tuesday...
CISO: Look into it on Monday, we've got more important things to worry about. If you'll excuse me, I need to call some old frat-mates about their trading portfolios.
And good god don't try to trade on this info, the SEC has a data team specifically looking for this signal.
https://www.velaw.com/insights/2021-was-a-mixed-year-for-the...
https://www.velaw.com/insights/utilizing-data-analytics-sec-...
