The cynic in me says this will incentivize execs to avoid starting the clock:<p>SRE: It looks like someone might be exfiltrating data from our network.<p>CISO: I doubt that. Look into it on Monday.<p>SRE: Today is Tuesday...<p>CISO: Look into it on Monday, we've got more important things to worry about. If you'll excuse me, I need to call some old frat-mates about their trading portfolios.
I'm in favor of mandating disclosure. I wish they hadn't limited it to the vague 'has material impact' definition.<p>Under that rule if a company is being DDOSed constantly but their network is successfully mitigated against it presumably they wouldn't need to disclose it.<p>But it would be in the general good of the public to be able to track these events, what their source is, etc.<p>At least this is a step in the right direction.
This isn't as good of a thing as you think. Instead of focusing on finding out the scope of the compromise and making sure the threat actors are contained and can't easily compromise again, incident responders will ger pressures to focus on answering questions about who gets notified. They should be given enough time to thoroughly respond to it and then notify everyone that needs notifying.<p>Having to dedicate resources to scour through compromised data for pii instead of for forensic evidence before you even contain/eradicate a threat only helps threat actors. The public does not benefit from bad or inefficient incident response.<p>I am sure HN crowd will get that this isn't something you can just throw manpower/bodycount at either to get a faster response. It takes as long as it has to take.
See also <a href="https://news.ycombinator.com/item?id=36881061">https://news.ycombinator.com/item?id=36881061</a>
<a href="https://news.ycombinator.com/item?id=36881188">https://news.ycombinator.com/item?id=36881188</a>
It seems that "cyberattack" will eventually replace "hacking" as the go-to word for every computer problem faced by a C-Suite sexagenarian.