CTPAT Continued - Requirement 4
As your security program continues to mature, CTPAT recommends that you share relevant information with the government and business partners.
The CBP says:
Members are encouraged to share information on cybersecurity threats with the Government and business partners within their supply chain. Information sharing is a key part of the Department of Homeland Security's mission to create shared situational awareness of malicious cyber activity. CTPAT Members may want to join the National Cybersecurity and Communications Integration Center (NCCIC - https://www.us-cert.gov/nccic). The NCCIC shares information among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost.
Together we can be stronger in the fight against cyber crime and information sharing within your industry and business partners helps protect everyone's business.
This recommendation is also in line with the push to be more open about security incidents. One major example is California Attorney General's breach reporting laws.
Per the California Office of the Attorney General:
California law requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. (California Civil Code s. 1798.29(a) [agency] and California Civ. Code s. 1798.82(a) [person or business].)
Any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system shall electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General. (California Civil Code s. 1798.29(e) [agency] and California Civ. Code s. 1798.82(f) [person or business].)
You can see these reports on the California Attorney General's website and you will probably be surprised at the variety of industry and size of the companies affected.
If you want to learn more about the NCCIC or California Civil Code please check out the links in the article and book a meeting with one of our cybersecurity consultants.