Government Cracks Down on Security Responses, Unpatched Vulns
December 6, 2023 Alex Woodie
New federal rules that go into effect next week require public companies to share information about past security incidents within four days of the event, as well as detail in annual reports how they’re preparing for future attacks. And a state prosecutor in New York fined a company for allowing hackers to steal customer data through a critical zero-day security vulnerability that was left unpatched for 11 months.
The Securities and Exchange Commission (SEC)’s new cybersecurity rule that went into effect on October 1 requires public companies to report details of cybersecurity incidents that impact their operations. Companies must report the incidents on something called an “Item 1.05” on their Form 8-K, known as a “current report.” The incidents must be reported within four days after the company determines the incident is material, with exceptions for national security, the SEC said.
SEC Chair Gary Gensler says public companies must disclose cyberattacks within four days.
In addition to describing past cybersecurity incidents – such as successful hacking attempts and infections by malware – on their current report, companies must describe to investors what they’re doing to prevent them on an annual basis. Larger public companies must start sharing the details with their annual reports starting on December 15, and for Form 8-K on December 18. Smaller companies have until the spring to comply with the new reporting mandate.
In its press release announcing the new rule, the SEC says companies must describe “their processes, if any, for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents.” Companies must also describe what level of oversight into cybersecurity the board is exercising, and what expertise management has in the domain.
“Whether a company loses a factory in a fire – or millions of files in a cybersecurity incident – it may be material to investors,” SEC Chair Gary Gensler said in a press release. “Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today’s rules will benefit investors, companies, and the markets connecting them.”
It’s unclear what, if any, penalties will be levied by the SEC on companies that don’t comply with the new rules. You can read more about the new rules here.
New York AG Leticia James just fined a company $450,000 for failing to patch a security vulnerability.
Meanwhile, New York Attorney General Letitia James announced last month that her office has fined US Radiology $450,000 for failing to patch a security vulnerability that resulted in the disclosure of private personal information of nearly 200,000 patients, including 82,000 residents of the state.
The AG’s office concluded that the company did not prioritize upgrading its hardware after SonicWall announced in January 2021 that a critical SQL injection security vulnerability existed in a network device. The company was planning to replace the SonicWall network device in July 2021, as its particular model was at end-of-life and could not accept the firmware that contained the patch, the AG’s office said. But the company never completed the hardware upgrade and in December it succumbed to the ransomware attack.
“When patients visit a medical facility, they deserve confidence in knowing that their personal information will not be compromised when they are receiving care,” James said in a press release. “US Radiology failed to protect New Yorkers’ data and was vulnerable to attack because of outdated equipment.”
The two events show that federal and state officials are starting to crack down on companies that have their customer’s data stolen through security attacks, whether they’re culpable in the cybersecurity through lax security policies or not.
This should be a wakeup call to IBM i shops that haven’t yet gotten the message on security, says Pauline Brazil Ayala, vice president of compliance and security solutions for Fresche Solutions.
“Ignorance is a not a security policy. Ignorance is not okay,” she says. “It’s not going to hold up when your data is breached and they’re asking you ‘Why didn’t you have protections in place for this data?’ You need to be aware what the vulnerabilities are and take precautions like you do on any other platform.”
RELATED STORIES
Spooky New Security Vulns Lurking on IBM i
Serious New IBM i Vulns Exposed by Silent Signal – More On the Way
New “High Priority” DDM Vulnerability Affects IBM i
the disclosure process: GDPR in europe already require this (even for private companies) and it is indeed a good practice.
Nowadays at minimum what is exposed publicly on the internet perimeter must be strictly controlled, this should be a minimum for every company.
But in the first place software development and architecture methodologies must be rectified to reduce trivial bugs. Billions of dollars were caused by buffer-overruns or sql-injections (impossibile to do from the start with right methodology or programming language).
The low software quality that lead to bugs like “eternalblue”, full unauthenticated access to a system, is astonishing.
ITJUNGLE: would be nice – but I know it is impossible – to have sum of all the damages made possible by architectures like windows/ms compared to IBMi (not exempt from bugs)… we will be surprised I think…