Organizations will struggle to meet cyber incident disclosure deadlines
In the light of President Biden's new legislation requiring critical infrastructure organizations to disclose cyber incidents to the government within 72 hours, new research from BitSight shows how unprepared many are to meet the strict disclosure requirements.
Based on analysis of more than 12,000 publicly disclosed cyber incidents between 2019 and 2022, the research finds it takes the average organization 105 days to discover and disclose an incident from the date it occurred.
It takes twice as long for organizations to disclose higher severity incidents once they are discovered compared with lower severity ones. The average organization requires over 70 days to disclose a moderate, medium or high severity incident once it has been discovered compared with the 34 days it takes to disclose low severity events.
The average organization takes 59 days to disclose an incident after initially discovering it, well beyond disclosure requirements envisioned by policymakers. Large enterprises -- 10,000 plus employees -- are better, but even so they need an average of 39 days to discover an incident and 41 days to disclose it.
The report's authors conclude:
Organizations can do more to improve their cybersecurity posture and reduce the likelihood that they will experience a significant or material cyber incident. BitSight finds that timely remediation of vulnerabilities, reducing attack surface exposure, and implementing sound cybersecurity hygiene all measurably reduce the likelihood of experiencing cyber incidents, including ransomware. Focusing on detection and response is critical in shrinking the overall timeline between incident occurrence, discovery, and disclosure. Organizations should focus on measures that:
• Improve incident detection and monitoring capabilities.
• Improve awareness of disclosure obligations
• Ensure that the company's incident response plan includes a damage assessment process to determine incident materiality
You can find out more and get the full report on the BitSight blog.
Photo credit: www.BillionPhotos.com / Shutterstock