The SEC cyber disclosure rules leave companies confused. One year later, Deloitte denies hack claims amid BrainCypher ransomware allegations. And Microsoft and SAP are issuing patches for some critical vulnerabilities. This is Cybersecurity Today.
I'm your host, Jim Love. One year after the Securities and Exchange Commission, the SEC, introduced stricter disclosure rules for cybersecurity incidents, many companies are still struggling to comply, leaving investors in the dark about critical details. A recent report by BreachRx reveals that only 16. 9 percent of public companies filing 8K reports on cyber incidents have provided specific details on the material impact of those incidents in their business.
Furthermore, 52 percent of these filings relied on generic boilerplate language with just under half offering any information on how the organization was responding to the issue. The rules enacted in December 2023 require public companies to disclose material cyber incidents within four business days and to include details of their overall cybersecurity and to include details of their overall cyber security strategies in annual reports.
However, Ambiguity about what constitutes material has left companies grappling with compliance. Many have interpreted the term narrowly, focusing solely on financial impact while excluding breaches affecting customer data. The SEC intended for the rules to promote greater transparency and avoid vague statements, but industry practices have fallen short. The SEC was very clear, they wanted greater transparency said BreachRX CEO, Andy Lunsford, and it's pretty clear.
That's not what the industry has done. Corporate lawyers have reportedly discouraged detailed disclosures due to concerns about litigation risks. As a result, some companies have adopted minimal reporting practices, prompting criticism from cybersecurity advocates. Notable exceptions like Microsoft have filed more comprehensive disclosures, setting a potential standard for the industry.
Looking ahead, the SEC's enforcement of these rules remains uncertain, especially with a change in leadership on the horizon. While current chair Gary Gensler has prioritized cybersecurity, incoming chair Paul Atkins may take a different approach, raising questions about the long term impact of the rules. For now the lack of clarity and inconsistent compliance highlights the ongoing challenge of balancing corporate transparency with legal and operational concerns.
Deloitte has denied allegations from the Brain Cipher Ransomware Group claiming the theft of over one terabyte of data. The group added Deloitte UK to its Tor leak site, alleging they had exfiltrated a trove of compressed data. In a statement, a Deloitte spokesperson emphasized, our investigation indicated that the allegations relate to a single client system, which sits outside of the Deloitte network. No Deloitte systems have been impacted. The company continues to investigate the matter.
The BrainCypher ransomware group has threatened to release the data in five days, if a ransom is not paid. The group active since at least April, 2024, has a track record of high profile cyber attacks, including a June breach of an Indonesian data center that disrupted 210 critical government services causing widespread delays despite initially demanding an $8 million ransom. The group later released a DECRYPTOR for free. Cybersecurity researchers, including those at Group one B, suggest.
Connections between BrainCypher and other ransomware groups such as Estate Ransomware and SenseiQ. Shared stylistic elements in ransom notes and overlapping technologies on their Tor sites support this hypothesis. This isn't the first time Deloitte has faced hacking allegations. In September, the Intel broker ThreatActor claimed to have stolen sensitive data from the firm, but Deloitte refuted the claims, saying no sensitive data was compromised.
But in 2017, the company did suffer a significant breach where a hacker got access to admin credentials, which exposed confidential client emails and other sensitive information leading to a severe reputational hit. The ongoing brain cipher allegations placed Deloitte cybersecurity measures under scrutiny once again, though the company firmly maintains its network remains unaffected. And Microsoft and SAP are issuing patches for some critical vulnerabilities.
Microsoft's December 2024 Patch Tuesday addressed 71 security vulnerabilities, including one actively exploited zero day . CVE 2024 49 138 Among the fixes, 16 critical flaws involve remote code execution, posing significant risks to affected systems. The zero day vulnerabilities covered by CrowdStrike allows attackers to gain system privileges on Windows devices. While details on how it was exploited remain scarce, Microsoft has released a fix to mitigate the risk.
The update also includes patches for 27 elevation of privilege vulnerabilities, seven information disclosure flaws, and five denial of service issues. Notably, two edge vulnerabilities were resolved earlier in the month. Given the severity of these flaws, users and organizations are urged to apply the patches immediately to protect against potential exploits.
In addition to these security updates, Microsoft released non security updates for Windows 10 and 11, which address performance and functionality improvements. And SAP has released patches for 16 vulnerabilities as part of its December 2024 security patch day, including a critical server side request forgery SSRF flaw in NetWeaver's Adobe Document Services. The vulnerability tracked is CVE 2024 47578 with a CVSS score of 9. 1.
Could allow attackers with administrative privileges to exploit the system by sending crafted requests through a vulnerable web application. Successful exploitation might enable attackers to read or modify files and potentially disable the entire system. The flaw affects ADSS SAP version 7. 50 and poses a significant threat to internal systems, typically protected by firewalls.
Alongside CVE 2024 47578, SAP addressed two related vulnerabilities, CVE 2024 47579 and CVE 2024 47580, that could lead to unauthorized file access and information disclosure. Other notable fixes include a cross site scripting vulnerability CVE 2024 47 590 with a CVSS score of 8. 8 in web dispatcher and an information disclosure issue CVE 2024 54 198 with a CVSS score of 8. 5 in SAP NetWeaver application server sAP has reported no active exploitation of these vulnerabilities in the wild.
Organizations using affected systems are strongly advised to apply the patches promptly to mitigate those potential risks. There's a lot going on. And that's our show for today. You can find links to reports and other details in our show notes at technewsday. com. We welcome comments, tips, and the occasional bit of constructive criticism at editorial at technewsday. ca. I'm your host, Jim Love. Thanks for listening.