From Months to Minutes: Can New Regulations Accelerate the Cyber Incident Disclosure Process?

The state of cyber incident disclosure

In the wake of numerous high profile cyber incidents, including ransomware and attacks impacting critical infrastructure, policymakers are considering new cyber incident disclosure laws to improve cybersecurity. On March 15, 2022, President Biden signed legislation requiring critical infrastructure organizations to disclose “substantial” cyber incidents to the Federal government within 72 hours. The Securities and Exchange Commission (SEC) is also considering new regulations requiring disclosure of “material” cyber incidents within 96 hours.

Are organizations prepared to meet these new cyber incident disclosure requirements?

Bitsight analyzed more than 12,000 publicly disclosed cybersecurity incidents from 2019-2022 to assess the current state of cyber incident disclosure. We examined how organization size and incident severity affects the timeliness of incident discovery and disclosure. 

Bitsight’s observations suggest that compliance with these new obligations will be difficult to achieve. Bitsight observes:

Cyber incident discovery and disclosure is a long, slow process.

In a world that requires speed and rapid response, data suggests that the time between incident occurrence, discovery, and disclosure is quite slow. Cyber incidents are typically discovered and disclosed after weeks and months, rather than hours and days. It takes the average organization 105 days to discover and disclose an incident from the date the incident occurred; of that time, organizations don’t discover an incident until 46 days after it has occurred, and they don’t disclose an incident until 59 days after discovery. This is well beyond the 72-96 hour disclosure requirements envisioned by policymakers.

Larger organizations are faster at discovering and disclosing incidents than smaller organizations, but they are still slow.

The largest organizations (10,000+ employees) are 30% faster at discovering and disclosing incidents compared to others. However, it takes the largest organizations an average of 39 days to discover an incident and 41 days to disclose an incident, far beyond the timeframes proposed in new requirements.

It takes twice as long for organizations to disclose higher severity incidents once they are discovered compared with low severity incidents.

It takes the average organization over 70 days to disclose a moderate, medium or high severity incident once it has been discovered compared with the 34 days it takes to disclose low severity events. Yet new regulations require the disclosure of these “substantial” or “material” incidents within 72-96 hours. Achieving compliance with these new obligations may be difficult to attain.

Download the Full Report

Organizations can do more to improve their cybersecurity posture and reduce the likelihood that they will experience a significant or material cyber incident. Bitsight finds that timely remediation of vulnerabilities, reducing attack surface exposure, and implementing sound cybersecurity hygiene all measurably reduce the likelihood of experiencing cyber incidents, including ransomware.  

Want more details? Read the full report, available here.