In response to the surge of major cyberattacks over the past year, Congress has responded with the Cyber Incident Reporting Act. This bipartisan legislation sets timelines for organizations to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA).
These timelines are meant to give CISA broad visibility into cyberattacks which will empower a “whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” in the words of Ohio’s Republican Senator Rob Portman.
Cyber Incident Reporting Requirements
The bill requires reporting timelines of:
- 24 hours for organizations to report paying ransoms in response to ransomware attacks
- 72 hours for owners and operators of critical infrastructure to report cybersecurity incidents
Organizations impacted by this regulation are primarily critical infrastructure groups, nonprofits, businesses with more than 50 employees, and state and local governments.
Consequence of Non-Compliance
The CISA has the power to subpoena organizations failing to comply with the first national cyber incident reporting requirements. The consequences of dodging reporting requirements potentially include being referred to the Justice Department and being banned from conducting business with or for the federal government.
“This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks,” says Chairman Gary Peters (D-Mich.)
Shared Assessments Supports Cyber Incident Reporting
Yesterday’s announcement of the federal requirements for reporting cyber incidents received resounding support from Shared Assessments’ subject matter experts.
Cyber Incident Reporting Requirements Boosts Response Time For Counter Measures
“I applaud and welcome the US Congress for taking such action as cybersecurity threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident),” states Tom Garrubba, Vice President, Shared Assessments.
“Not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures,” continues Garrubba.
Clear Definitions For Cyber Incident Reporting
“There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures. Ideally, as the government gets timely information related to a ransomware attack, including any payments, that it can formulate an overall response that can best serve businesses of all shapes and sizes,” reflects Nasser Fattah, Senior Advisor, Shared Assessments.
Fattah also notes that it is “important to include very clear definitions for key terms, including ‘incident’ in the legislation.”
Cyber Incident Response Planning Crucial
Ron Bradley, Vice President, Shared Assessments expresses his sincere hope that “this piece of legislation doesn’t come as a surprise to organizations, particularly those in critical infrastructure.”
Bradley adds that “Having a well-documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.”
Bradley continues that “The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.”
Resources For Cyber Incident Planning
Our post on Preparedness Month identifies 5 areas risk management should focus on.
Developing a strong approach to Incident Response Communications is wise as modern times demonstrate that emergencies are guaranteed to arise.
