Cloud Applications and Incident Reporting Requirements: A Perfect Storm for CISOs

Cado has traditionally been the best friend of the DFIR team. However, in recent months we’ve seen a growing interest from security and IT compliance architects across a growing number of our customers. They tell us one reason for this is the growing number and scope of incident reporting mandates across the world.

For example:

• In the EU, GDPR has long since had a 72 hour reporting requirement for data breaches – either to your customer if you’re processing their data or to a Data Processing Authority (DPA). Plus the NIS 2 Directive for critical infrastructure organizations comes into effect next year, which has a phased reporting requirement starting at the 24 hour mark.
• In North America, the Cyber Incident Reporting for Critical Infrastructure Act mandates a 72 hour reporting timeframe. What’s more, the SEC’s proposed Cybersecurity Rule gives you 4 business days to determine whether an incident might cross the threshold of materiality and report it.
• Across Asia-Pacific there’s a patchwork of requirements, from India’s CERT-In brutal 6 hour reporting requirement, to Hong Kong’s Monetary Authority’s less prescriptive requirements "as soon as practicable after the [organization]...is aware of or notified of the incident”

Compliance teams also tell us they have a vast array of partner agreements in place that mandate that when they discover an incident, the clock starts ticking.

At the same time, business transformation initiatives continue at a dizzying speed. Many of these initiatives mean complete overhaul of applications, making public clouds a strategic imperative, along with the adoption of more agile, elastic technologies like containers and serverless technologies.

This creates a massive headache for CIOs, CISOs, and other senior leaders. Their incident response plans – often originally written for an on-premises era – are coming under increased scrutiny from the business, their compliance teams as well as auditors to make sure they can meet those stringent response requirements (for which early preparation is paramount). When they report an incident they need to have a good idea of its root cause, scope and impact so that they can set the scene correctly, understand exactly what they need to report, and protect the organization’s reputation.

At the same time, these same incident response plans are quickly being rendered obsolete by the adoption of new technologies and computing models. For example, the rise in cloud-based container-based and serverless technologies means that existing tools for incident response and forensics have little or no visibility into these new environments. What’s more, in a dynamic, elastic environment, even if they did have visibility, the systems and data - including the attacker’s tracks - can disappear in the blink of an eye as systems are spun up and down in response to demand, reinforcing the need for preparation. Even if you rely on a third party for Incident Response, you must ensure that the data you need in order to establish root cause and understand scope is available before you’ve activated their services.

Cado helps companies to completely rethink their approach to incident response and investigation in cloud applications.

With Cado you can:

• Automate the entire technical part of the incident investigation and response process – from processing the alert, to collecting and preserving the evidence, analyzing the data, containing the threat and limiting its impact.
• Prepare comprehensively for an incident, setting up accesses, automation rules, and integrations with third party systems (like incident management platforms, XDR, SOAR, CNAPP, and SIEM) to make sure you have a robust, comprehensive and defensible process and architecture.
• Test your preparedness and understand your risk posture, knowing where your gaps are and where you need to invest to reduce your exposure.

To learn more about how Cado can help to automate your incident response, contact us.

In the meantime, here is our handy but non-authoritative guide on regulations and reporting requirements. 

Note that this is not a complete list, legislation changes frequently, and this does not constitute legal advice. You should always consult with a lawyer to discuss how the law applies to a data breach.

Legislation: (EU/UK) GDPR

Geography: EU, UK

Timeframe: "within 72 hours after having become aware of the breach"

See:

https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en

https://ico.org.uk/for-organisations/dp-at-the-end-of-the-transition-period/overview-data-protection-and-the-eu/

Legislation: PIPEDA

Geography: Canada

Timeframe: "as soon as feasible"

See: https://www.priv.gc.ca/en/privacy-topics/business-privacy/safeguards-and-breaches/privacy-breaches/respond-to-a-privacy-breach-at-your-business/gd_pb_201810/

Legislation: FTC Health Breach Notification Rule

Geography: United States

Timeframe: "within 60 calendar days after the breach is discovered" AND "unreasonable delay"

Data: Healthcare

See: https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0

Legislation: HIPAA Breach Notification Rule

Geography: United States

Timeframe: "60 days" AND "unreasonable delay"

Sector: Healthcare

See: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Legislation: Breach notification laws vary by state

Geography: United States

Timeframe: Varies

See: https://lewisbrisbois.com/privacy/US

Requirement: PCI DSS

Geography: Global

Timeframe: Varies

Sector: Payment Card Data Holders

See:

https://listings.pcisecuritystandards.org/documents/Responding_to_a_Cardholder_Data_Breach.pdf

https://usa.visa.com/dam/VCOM/download/merchants/cisp-what-to-do-if-compromised.pdf