"New Research Claims Biden's Disclosure Deadlines Are Unrealistic"

According to new research by cyber-risk rating firm BitSight, organizations in the United States are ill-prepared to meet the strict new cyber incident disclosure requirements imposed by the Biden administration.  Earlier this month, President Biden signed legislation requiring critical infrastructure organizations to disclose “substantial” cyber incidents to the Federal government within 72 hours.  However, an analysis of more than 12,000 publicly disclosed cyber incidents from 2019-2022 published by BitSight researchers revealed that incidents are typically discovered and disclosed after weeks and months rather than hours and days.  The researchers stated that, on average, it takes the average organization 105 days to discover and disclose an incident from the date the incident occurred.   During that time, organizations don’t discover an incident until 46 days after it has happened, and they don’t disclose an incident until 59 days after discovery.  The researchers found that larger organizations are faster at discovering and disclosing incidents than smaller organizations.  Yet, while organizations with more than 10,000 employees were 30% quicker at discovering and disclosing incidents than smaller organizations, it still took them, on average, 39 days to discover an incident and 41 days to disclose it.  The researchers noted that disclosing higher severity incidents was a more ponderous process than reporting incidents of a more minor nature.  The findings suggest that organizations would struggle to comply with new regulations that would require disclosure of “material” cyber incidents within 96 hours.
 

Infosecurity reports: "New Research Claims Biden's Disclosure Deadlines Are Unrealistic"