Breach Notification , Security Operations , Standards, Regulations & Compliance

How Firms Can Disclose Cyber Incidents While Staying Secure

Venable's Grant Schneider on Why Incident Disclosure Should Look at Business Impact
Grant Schneider, senior director of cybersecurity services, Venable (Image: Venable)

Public companies disclosing a security incident under the new U.S. reporting requirements should focus on the business impact and stay away from the technical pieces, said Venable's Grant Schneider.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The disclosure should examine how the security incident will affect revenue, profitability and public perception. It should avoid discussion of how the incident took place and whether or not it's still ongoing, he said. New rules adopted by the Securities and Exchange Commission will force publicly traded firms to disclose most "material cybersecurity incidents" within four business days of determining materiality (see: SEC Votes to Require Material Incident Disclosure in 4 Days).

"The one concern I would have is the issue may not have been mitigated," Schneider said. "It could be an ongoing incident that an organization is still trying to respond to, recover from and mitigate. When you come out and say, 'I'm injured,' you become a bit of a target. There is a real concern about potential security for these organizations."

In this video interview with Information Security Media Group, Schneider also discussed:

  • How organizations will determine whether or not a security incident is material;
  • How often companies will be able to delay disclosure for national security reasons;
  • Potential repercussions for companies found to have violated the new SEC rules.

Prior to Venable, Schneider served as the U.S. deputy federal CISO and the U.S. federal CISO and as senior director for cybersecurity policy on the White House National Security Council. He previously served for seven years as chief information officer for the Defense Intelligence Agency.


About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.