The pressure on victims of cybercrime to notify authorities in a timely manner is increasing from many sides and for multiple reasons.
On January 24, 2023 France passed a law (Article L12-10-1 of the Insurance Code) that victims of cybercrime are required to report the incident within 72 hours after discovery, if they want to be eligible for compensation by the insurance for losses and damages caused by the attack. In accordance with French law these provisions come into force three months after the announcement of this law. That effective date will be April 24, 2023.
Earlier, we saw a proposal from the Securities and Exchange Commission (SEC) to amend Form 8-K to require registrants to disclose information about a material cybersecurity incident within four business days after the registrant determines that it has experienced a material cybersecurity incident. Form 8-K is known as a “current report” and it is the report that companies must file with the SEC to announce major events that shareholders should know about.
In the take-down of the Hive ransomware group the international law enforcement agencies stressed how crucial it was that victims filed timely reports about the cybercrimes committed against them.
Cyber liability insurance
Cyber liability insurance is a type of insurance policy that protects businesses from the expenses incurred after the result of a data breach, including stolen or damaged intellectual property.
It may strike us as weird that the compensation by the insurance is what’s at stake here, but it’s incorporated in US law as well. The Cybersecurity Information Sharing Act was one of the initial Federal laws passed in 2015 to enable sharing of personal information on cyberincidents. And many states have enacted their own legislation to address cyberrisks in depth, from exclusions to penalties.
Every US state has a Data Breach Notification law that must be complied with when a certain number of consumers’ personally identifiable information (PII) is compromised. A few states have added requirements specifically for insurers to notify the state’s insurance department.
The amount of money involved in cyberincidents is enormous. Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.
Covering these risks that amass to trillions of dollars per year is not something insurance companies will take on lightly. Their clients will have to show they were careful, protected, and diligent to be eligible for compensation. And now they will have to file a timely report.
The French law has been criticized because some of the key definitions in the law are unclear or at least need further specification.
What a cyberincident is, in the context of this law, is rather clear, though. Accessing or remaining fraudulently in all or part of an automated data processing system, with the stipulation that when the result is either the deletion or modification of data contained in the system, or an alteration of the functioning of this system, the punishments are higher.
The responsible authority however, is unclear. Is it law enforcement, through the Ministry for the Interior’s general crime reporting portal, or does it depend on the nature of the crime? Time will tell. (This lack of clarity is also the norm in the United States, where some laws go into effect without having a clear model for how the laws will be enforced.)
Another point of discussion is put forward by 72 hours after discovery. Is this 72 hours after your log files show signs of an unauthorized access, or 72 hours after your staff was able to determine with certainty that it indeed was a security incident?
The details will undoubtedly be hammered out, but until then it seems prudent to err on the safe side.
According to Malwarebytes security evangelist and ransomware expert Mark Stockley this kind of legislation could make a difference.
“Why? Because money talks and the foundation of combatting the ransomware problem is understanding it. That requires victims to come forward and report it. Timely reporting allows us to understand the big picture, but it also gives law enforcement the best chance to learn about the tools, techniques and practices of the attackers, and to share what they’ve learned.”
This is likely one of the reasons behind this law. As Mark continued to explain:
“Failure to report can cause serious problems: In 2017, one of the early ‘big game’ ransomware gangs, SamSam, was widely reported to be targeting government and healthcare institutions, because it seemed to attack them much more often. It later transpired that it didn’t attack them more often at all, but the government and healthcare sectors were much more likely to report an attack.”
If this new law turns out to help fight cybercrime, you can be sure that similar types of regulation will follow suit around the globe.
This new law will also affect the playbook by which an organization is going to act after identifying a breach. In most cases the investigation by internal or external experts will not have finished by the time you have to disclose that there has been an incident. This means it will likely need an extra step in your communications, where the first one will tell at least the responsible authority that something has happened. Depending on who that authority is and what form this notification has to be done in, others may have to be briefed as well.
A later communication can then disclose the details about what happened, how it could happen, and what the possible consequences are. But that type of information typically requires more investigation than you’ll be able to gather in three days.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.