New Research Claims Biden's Disclosure Deadlines Are Unrealistic

Organizations in the United States are ill-prepared to meet the strict new cyber incident disclosure requirements imposed by the Biden administration, according to new research by cyber-risk ratings firm BitSight.

Earlier this month, President Biden signed legislation requiring critical infrastructure organizations to disclose “substantial” cyber incidents to the Federal government within 72 hours.

However, an analysis of more than 12,000 publicly disclosed cyber incidents from 2019-2022 published by BitSight researchers on Tuesday revealed that incidents are typically discovered and disclosed after weeks and months rather than hours and days.

Researchers noted: “It takes the average organization 105 days to discover and disclose an incident from the date the incident occurred; of that time, organizations don’t discover an incident until 46 days after it has occurred, and they don’t disclose an incident until 59 days after discovery.”

Larger organizations were found to be faster at discovering and disclosing incidents than smaller organizations. Yet, while organizations with more than 10,000 employees were 30% quicker at discovering and disclosing incidents than smaller organizations, it still took them, on average, 39 days to discover an incident and 41 days to disclose it.

Disclosing higher severity incidents was a more ponderous process than reporting incidents of a more minor nature. 

“It takes the average organization over 70 days to disclose a moderate, medium or high severity incident once it has been discovered compared with the 34 days it takes to disclose low severity events,” said researchers, “Yet new regulations require the disclosure of these “substantial” or “material” incidents within 72-96 hours.”

Researchers opined that a variety of factors could be causing slow disclosure times. 

“Uncertainty about disclosure obligations (what to disclose, to whom, how, and when) and confusing jurisdictional requirements may be contributing factors to these delays,” wrote researchers.

They added that larger organizations may be able to achieve faster disclosures because they “have greater experience or better understanding of their legal obligations compared with smaller organizations.”

The findings suggest that organizations would struggle to comply with new regulations – currently being considered by the Securities and Exchange Commission (SEC) – requiring disclosure of “material” cyber incidents within 96 hours.

What’s Hot on Infosecurity Magazine?