When a cyberattack happens, wanting to know the details is more than morbid curiosity (cue the “thank goodness it’s not me” sigh of relief). Sharing relevant incident information can help everyone else boost their defenses. But too often victimized companies are tight-lipped about attacks, revealing only the bare minimum required by law.
It’s a Catch 22: Share too much, and you might invite a lawsuit over your cybersecurity practices. Share too little, and organizations that could benefit from your experience won’t get data that could help them.
“Sharing too much, especially too early, can lead to legal issues,” says Rusty Goodwin, executive consultant at The Mid-State Group, an insurance agency in Lynchburg, Virginia. “For example, if you say things like, ‘we didn’t have encryption’ or ‘we reacted too slowly,’ those details may be used in lawsuits or regulatory actions.”
This conundrum affects MSPs, especially as attackers increasingly target the supply chain. Because of links to suppliers, vendors, and customers, MSPs are potentially vulnerable to attacks on third parties. It was a concern with the recent Ingram Micro ransomware incident, which disrupted operations for almost a week.
The distributor revealed little about the incident, creating frustration among MSPs and other partners. The attack disrupted operations but there is no indication it infected other organizations.
Intelligence for the Benefit of All
Noting research from Cybersecurity Ventures that cyberattacks cost an estimated $10.5 trillion worldwide, Dave Seibert, CIO of IT Innovators, based in Irvine, California, wants to see more intelligence-sharing about incidents. His company’s operations were affected by the Ingram Micro attack.
Legitimate businesses, Seibert says, are at war with cyber adversaries. And, as in any war, intelligence is key to fighting the battle. This requires transparency, but Siebert laments too many attack victims share too little. When information comes out, often it’s because a whistleblower posts it months after the incident on a platform like Reddit, he says.
Victim companies could share a lot of data points that would help others, he adds. “It’s not important to know the name of the company. What’s important is knowing how they got attacked so you can make sure the businesses you protect have that measure covered. You don’t know what to cover when you don’t know what it is.”
Keith Nelson, PhD, CEO of Vistem Solutions, an MSP in Irvine, California, says he has dealt with vendors that withheld information about attacks. “When a vendor is not honest or forthcoming with information, it’s not only their organization that is at risk. It’s ours as well because we don’t know what threats may be putting our clients at risk,” he says.
Though organizations fear legal repercussions and reputational risk from sharing incident information, Nelson argues withholding information can be the bigger danger. “The fact that an incident occurred or that your organization was the victim of a malicious attack is, in itself, not enough to implicate an organization. In many of these scenarios, lawsuits follow as a result of the organization not being honest with its customers or stakeholders.”
Sharing lessons learned, says Goodwin, helps keep other businesses safe. He suggests leveraging CISA’s threat-sharing platforms and Information Sharing and Analysis Centers (ISACs), which allow companies to provide information with limited risk.
Disclosure Regulations Hodgepodge
Exactly how much information to share depends on industry, geography, or both. Regulations such as HIPAA are industry-specific while others, such as Europe’s GDPR and California’s CCPA, are based on geography. Disclosure requirements and timelines differ between them.
In the U.S., a patchwork of disclosure regulations applies to 16 critical sectors. These include communications, agriculture, energy, and water treatment systems. There is no nationwide disclosure law. “These rules can be difficult to follow, especially for smaller organizations without a compliance or legal team,” says Nelson.
Uncertainty can make companies want to clam up after an incident, but that doesn’t mean they can put off investigators. “If a regulatory agency wants to know more about an incident/breach, they will ask the victim entity. So purposefully hiding the details won’t help,” says Scott Giordano, partner and co-founder of The CISO Law Firm.
Besides regulatory issues, incidents can cause problems when companies try to collect on their cyber insurance coverage. “Insurers may deny a claim if your public statements reveal things like known but unpatched vulnerabilities, weak controls, or inconsistencies with your application,” says Goodwin.
To avoid that, pay attention to what your policy covers. If an incident occurs, Goodwin advises notifying the insurer immediately because delays can jeopardize coverage. Companies should retain an attorney to guide their response, and document their actions to show policy compliance, he says.
Appeal for Transparency
Nelson and Seibert are strong advocates of transparency. As MSPs, they are linked to third parties. They know that one company’s vulnerability can affect hundreds of others. “For all their self-interest,” says Nelson, “when organizations are silent in the wake of an attack, they harm not only themselves, but their entire industry by failing to share intelligence and forensics that could help them and others avoid being attacked.”
