A few days ago, the Biden administration issued new legislation that makes it mandatory for companies to disclose cybersecurity incidents within 72 hours.
But a survey conducted by cyber risks disclosing firm BitSight suggests that the set deadline is unrealistic as it is hard to achieve. The conclusion was made after security researchers from BitSight analyzed responses & data from over 190 respondents and 12K publicly disclosed cyber incidents from 2019 to 2021.
Researchers argue it takes at least 45-105 days for organizations to realize that hackers have targeted them and won’t disclose the incident until 50 days after discovery because of multiple reasons.
Practically, as large organizations have dedicated security teams on-premises, they find such incidents and respond faster than small organizations. Large businesses, in a sense, those operating with more than 10K employees, count.
Rest all small organizations either cannot discover the cyberattacks on time or don’t make them public within 72 hours, as they do not get the correct inputs on what to disclose, where to disclose and whom to disclose, and how to disclose?
Moreover, business reputation getting maligned is the biggest fear that holds CTOs and CIOs from disclosing the information to government agencies.
Meanwhile, the white house has tabled a new bill that would help federal authorities track, measure, and analyze cyber crimes.
Titled The Better Cybercrime Metrics Act, if introduced, will assist law enforcement in better identifying cyber threats, prosecuting cybercrime in a better way, and defending the overall infrastructure from future cyber attacks.
However, as Republicans are against the bill, its endorsement from the Biden administration is doubtful.