Yahoo's data breach was the breach that kept on giving, laying the foundation for breach notification laws.
The company's security department uncovered the breadth of the breaches in 2016, though the discovery remained undisclosed. Yahoo kept the breach under wraps in the initial acquisition agreement with Verizon in July.
In the breaches, which took place in 2013 and 2014, 3 billion accounts were compromised. Through it all, Yahoo's original sin was failing to disclose the full extent of the incident; the company withheld that information until 2017.
Companies have to decide what cyber events are worth public disclosure. In some cases, too much transparency is a bad thing.
"Disclosing too much makes you look worse than you are. Because the reality is, everyone's experiencing these attacks, everyone's having some element of their environment compromised sometimes," said Curtis Simpson, CISO of Armis.
Not all cyberattacks are synonymous with data breaches, but the line is becoming blurred. Even if an initial investigation fails to unveil signs of a breach, notifying law enforcement or regulators is often the safest bet — regardless of an incident's severity.
"My experience has been, involving law enforcement early is not problematic," said Simpson. "Where in the past, there may have been a number of reasons why you didn't want to do that."
There are breach notification laws at the sector, federal and state level. Most organizations choose to abide by breach notification laws in California or Massachusetts because they are the most strict. But over the last year and a half, states have amended their laws to include more aggressive notification requirements.
"A lot of these laws changed because of the Yahoo incident," said Nader Henein, VP analyst at Gartner. Prior to the laws, organizations would capture their post-mortem forensic data and shelve it for months before reassessing the incident.
Without a "time-bound" requirement to report an incident, "organizations can continue investigating indefinitely … And then when you turn around and say, 'Oh, six years ago we had a breach,' and nobody cares because it was six years ago," said Henein.
Not telling law enforcement or a regulator is an admission by an organization: We do not consider this cyber incident reportable, according to Henein. If that assumption is wrong, trust erodes.
"When your customers perceive that you're hiding or ignoring ugly facts, that trust goes away, and they start to doubt everything you do," said Robb Reck, CISO of Ping Identity.
The SEC wants more transparency in cybersecurity disclosures, taking into account the impacts on a company's reputation, financial performance, customer and vendor relationships or resulting litigation.
Following the SEC's 2011 guidance published by the Division of Corporation Finance, companies typically opt for more cybersecurity disclosures in the form of risk factors, according to the SEC's most recent 2018 guidance. The 2011 guidance was published in response to a hack that caused a massive outage on Sony's PlayState Network.
Risk factors are included in 10-Q and 10-K reports with companies updating when necessary. High-threat risks, like those by nation-state actors are typically filed in 8-K reports, according to Grady Summers, EVP of Solutions and Technology at SailPoint, in a Twitter thread. Summers previously served as EVP of Products and Customer Success at FireEye.
FireEye filed an 8-K report Tuesday saying its attackers "tailored their world-class capabilities specifically to target and attack FireEye." The attack targeted the company's Red Team tools used for diagnostic security.
The SEC's guidance is "not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts," according to the agency. "We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems."
Security meets legal
In the early moments of an attack's discovery, companies have to determine the full extent of a compromise. While security works to mitigate and understand the severity of an incident, "I would let legal know, right out the gate," said Simpson. Security investigations from that point on is "often how you're determining exactly what you need to disclose and when you need to disclose it."
Unrelenting cyberattacks complicate how often an incident, including a cyberattack, accidental misconfiguration, insider threat or breach, should be reported. Because some companies are under constant attack, there are elements that will be compromised. "But in most cases, those elements are benign," said Simpson.
Companies that wait until SEC filings or financial reports to disclose an incident might face backlash from shareholders. PayPal, FedEx, and this year Zoom faced stakeholder lawsuits following cyber incidents where they felt the companies were not initially forthcoming enough, and the material financial impacts were more harmful.
"Setting aside regulations and laws that drive disclosure, the key is understanding your stakeholders, and what they want in a business partner. Especially if you sell to enterprises and will hold sensitive data for your customers," said Reck.
The plaintiff in the FedEx lawsuit alleged the company wasn't clear enough about the operational disruption within one of its acquired businesses during the NotPetya attack in 2017. "If you think about a ransomware event that maybe didn't have the opportunity to steal data but took multiple locations down for a period of time … that's still a situation where you would have to disclose that to investors," said Simpson.
As organizations want to avoid under-reporting incidents, they don't need to over-report either. "If you undershoot, then the regulator will come back and tell you, 'You don't know what's happening in your own environment,'" said Henein.
The EU's General Data Protection Regulation (GDPR) gives organizations 72 hours to alert their respective regulator after finding a breach. "You tell them what you can," said Henein. From there, "based on what you tell the regulator, the decision will be made whether or not to inform individuals."