Cyber Incident Reporting Act: Clock Is Ticking

Cyber Incident Reporting Act: Clock Is Ticking

Sep 29, 2021 | Business Continuity, Public Policy

Cyber Incident Reporting Act

In response to the surge of major cyberattacks over the past year, Congress has responded with the Cyber Incident Reporting Act. This bipartisan legislation sets timelines for organizations to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA).


These timelines are meant to give CISA broad visibility into cyberattacks which will empower a “whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” in the words of Ohio’s Republican Senator Rob Portman.


Cyber Incident Reporting Requirements


The bill requires reporting timelines of:


  • 24 hours for organizations to report paying ransoms in response to ransomware attacks
  • 72 hours for owners and operators of critical infrastructure to report cybersecurity incidents


Organizations impacted by this regulation are primarily critical infrastructure groups, nonprofits, businesses with more than 50 employees, and state and local governments.


Consequence of Non-Compliance


The CISA has the power to subpoena organizations failing to comply with the first national cyber incident reporting requirements. The consequences of dodging reporting requirements potentially include being referred to the Justice Department and being banned from conducting business with or for the federal government.


“This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks,” says Chairman Gary Peters (D-Mich.)


Shared Assessments Supports Cyber Incident Reporting


Yesterday’s announcement of the federal requirements for reporting cyber incidents received resounding support from Shared Assessments’ subject matter experts.


Cyber Incident Reporting Requirements Boosts Response Time For Counter Measures


“I applaud and welcome the US Congress for taking such action as cybersecurity threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident),” states Tom Garrubba, Vice President, Shared Assessments.


“Not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures,” continues Garrubba.



Clear Definitions For Cyber Incident Reporting


“There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures.  Ideally, as the government gets timely information related to a ransomware attack, including any payments, that it can formulate an overall response that can best serve businesses of all shapes and sizes,” reflects Nasser Fattah, Senior Advisor, Shared Assessments.


Fattah also notes that it is “important to include very clear definitions for key terms, including ‘incident’ in the legislation.”


Cyber Incident Response Planning Crucial


Ron Bradley, Vice President, Shared Assessments expresses his sincere hope that “this piece of legislation doesn’t come as a surprise to organizations, particularly those in critical infrastructure.”


Bradley adds that “Having a well-documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene.  It would be unwise for any company to contemplate paying a ransom without first contacting the FBI.  In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.”



Bradley continues that “The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA).  Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.”


Resources For Cyber Incident Planning


Our post on Preparedness Month identifies 5 areas risk management should focus on.


Developing a strong approach to Incident Response Communications is wise as modern times demonstrate that emergencies are guaranteed to arise.

Sabine Zimmer

Sabine is Vice President of Marketing and Sales for Shared Assessments. Sabine enjoys collaborating across teams to build a stronger risk management community. When she's not at work, she is outdoors in the Southwest with her family.

Sign up for our Newsletter

Learn about upcoming events, special offers from our partners and more.

Sub Topics