The Securities and Exchange Commission (SEC) is putting a spotlight on security incident reporting. This summer, the SEC announced a rule change that requires certain financial institutions to notify individuals within 30 days of determining their personal information was compromised in a breach. Larger entities will have 18 months to comply, and enforcement will begin for smaller companies in two years.
This new rule change follows cybersecurity disclosure requirements for public companies that were adopted only a year prior — and implemented on December 18, 2023 for larger companies and June 15, 2024 for smaller reporting companies. These changes are already having an impact on disclosures, even if not in the way the SEC intended.
Under these disclosure requirements, public companies must report cybersecurity incidents within four business days of determining that an incident was “material.” But in mid-November, even before the rules were officially adopted, the AlphV/BlackCat ransomware gang added an early twist to its typical game by notifying the SEC that one of its victims had failed to report the group’s attack within the four-day limit.
This incident raised the sobering possibility that if companies don’t report cyberattacks to the SEC, attackers will do it for them. The action has sparked concerns about the abuse of regulatory processes and worries that the new rules could unintentionally lead to early disclosures, lawsuits, and an increase in attacks.
I’m not convinced threat groups have the upper hand. We must assume the SEC or contractors are monitoring the dark web for info on attacks that impact publicly traded companies. Still, organizations would be wise to strengthen their defenses and prepare for the worst-case scenario.
As Cyberattacks Increase, Identity Is in Spotlight
The SEC’s disclosure rules come as cyberattacks continue to rise in scale and severity, with identity-based attacks at the forefront. Verizon’s 2023 DBIR found that 74% of all breaches involved the human element, while almost a quarter (24%) involved ransomware.
Active Directory (AD) and Entra ID identity systems, used in more than 90% of enterprises worldwide, provide access to mission-critical user accounts, databases, and applications. As the keeper of the “keys to the kingdom,” AD and Entra ID have become primary targets for identity-based attacks.
It’s too early to know if cybercriminals reporting their attacks to the SEC will become a trend. Regardless, it is critical for organizations to take a proactive approach to identity security. In today’s digital world, identities are necessary to conduct business. But the unfettered access that identity systems can provide attackers presents a critical risk to valuable data and business operations. By taking steps to strengthen their cybersecurity posture, incident response and recovery capabilities, and operational resilience, organizations can help prevent bad actors from infiltrating identity systems.
Protect Active Directory, Build Business Resilience
Securing AD, Entra ID, and Okta is key to identifying and stopping attackers before they can cause damage. AD security should be the core of your cyber-resilience strategy.
Attacks are inevitable, and organizations should adopt an “assume breach” mindset. If AD is taken down by a cyberattack, business operations stop. Excessive downtime can cause irreparable harm to an organization. Henry Schein was forced to take its e-commerce platform offline for weeks after being hit by BlackCat ransomware three times; the company lowered sales expectations for its 2023 fiscal year due to the cybersecurity breach.
Having an incident response plan and tested AD disaster recovery plan in place is vital.
Here are three steps for organizations to strengthen their AD security — before, during, and after a cyberattack.
1. Implement a layered defense. Cyber resilience requires a certain level of redundancy to avoid a single point of failure. The best defense is a layered defense. Look for an identity threat detection and response (ITDR) solution that focuses specifically on protecting the AD identity system.
2. Monitor your hybrid AD. Regular monitoring of the identity attack surface is critical and can help you identify potential vulnerabilities before attackers do. An effective monitoring strategy needs to be specific to AD. Use free community tools like Purple Knight to find risky configurations and vulnerabilities in your organization’s hybrid AD environment.
3. Practice IR and recovery. An incident response (IR) plan is not a list to check off. It should include tabletop exercises that simulate attacks and involve business leaders as well as the security team. Even with a tested AD disaster recovery plan, your organization is still vulnerable to business-crippling cyber incidents. However, IR testing greatly improves your organization’s ability to recover critical systems and data in the event of a breach, decreasing the risk of downtime and data loss.
From my own experience, I know that the key difference between an organization that recovers quickly from an identity-related attack and one that loses valuable time is the ability to orchestrate, automate, and test the recovery process.
Here are my tips for a swift incident response:
-
Having backups is an essential starting point for business recovery. Make sure you have offline/offsite backups that cannot be accessed by using the same credentials as the rest of your production network.
-
The best approach for recovery is “practice makes progress.” A convoluted recovery procedure will delay the return to normal business operations. Verify that you have a well-documented IR procedure that details all aspects of the recovery process — and that the information can be accessed even if the network is down.
-
Orchestrate and automate as much of the recovery process as possible. Time is the critical factor in recovery success. Automation can make the difference between a recovery that takes days or weeks and one that takes minutes or hours.
The prospect of attackers outing their victims to the SEC underscores the importance of protecting systems in the first place. Organizations need to take the necessary steps, starting with securing their identity system. Whether your organization uses AD, Entra ID, or Okta, any identity can provide a digital attack path for adversaries seeking your most valuable assets.