Now It Is Critical to Report Security Incidents
By Trip Hillman, Partner, IT Advisory Services, Weaver
Reporting cybersecurity attacks and ransomware payments will no longer be optional for certain businesses under a new federal law. The Cyber Incident Reporting Act of 2022, signed into law by President Biden on March 15, 2022, mandates that covered entities inform the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a ‘significant’ cyber incident. CISA will analyze reports from covered entities and produce and distribute anonymized bulletins to government agencies and key technology and cybersecurity companies, hopefully in time to prevent other businesses from falling victim to similar attacks. Additionally, ransomware payments will need to be reported within 24 hours.
With the enactment of this law, one key takeaway for organizations is the overall change in tone from ‘you should report…’ to a ‘you will report.’ However, key aspects of how this will play out, such as the necessary content, method for reporting, reporting distribution and retention and process for amending or recalling submissions have been left for CISA to determine. This gives CISA the flexibility to adjust and revise rules as new threats appear and existing ones evolve rather than having to wait for Congress to enact new legislation.
To date, CISA has not released specific information about the nature of cyberattacks to be reported, but the agency has indicated that it will expand the traditional definition of ‘critical infrastructure’ to include at a minimum 16 Critical Infrastructure Sectors defined in a 2013 Presidential Policy Directive:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food & Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
To further define the industries covered, several sectors include subsectors. For example, the commercial facilities sector includes seven subsectors covering, among others, casinos, stadiums, retail centers, and malls under the rationale that they constitute “sites that draw large crowds of people,” but without defining what “large” is. Other sectors define covered activities instead of relying on subsectors.
Together, the 16 Sectors represent a significant expansion of what was once considered critical. For instance, they cover the entire food supply chain from farms to restaurants and grocery stores, water and electric utilities, retail banking, and telecommunication networks, including internet access providers and cell phone networks. The law gives CISA wide latitude to expand the list of covered entities within and beyond the 16 Sectors, whether it is by adding new covered activities or subsectors to an existing Sector, or adding a new Sector altogether.
Most medium and large businesses may want to review the list of Critical Infrastructure Sectors, publicly available on the CISA’s web site. While many covered activities and terms are subject to further clarification, a review of CISA’s rational for labelling a sector as critical may help in determining the likelihood that a business will be required to report cyber incidents. To encourage disclosure and assuage concerns about releasing potentially sensitive business data, the law includes protections against legal liability and freedom of information requests for companies that report to CISA.
Organizations that have implemented NIST or another Cyber Security Framework (CSF) should already have processes in place to triage and investigate security incidents, identify external stakeholders, and disseminate relevant information. Once CISA publishes details implementing the act, these organizations will need to update their existing processes to cover areas required under the new law that weren’t included in the original framework, including:
- Factors and metrics to consider in evaluating whether an incident is reportable
- Data to be gathered for submission to CISA
- Process to communicate with CISA
- Personnel or roles with responsibilities related to evaluating and reporting an incident
Organizations may need to include a frequent feedback loop in their external communication processes, as it is possible that a cybersecurity event may not become reportable until hours or even days later. An attack may initially appear to fall below the definition of ‘significant’ per the CISA, only to become significant and reportable upon further analysis or as new facts, such as an unexpected disclosure of data, come to light. Covered entities should implement processes to periodically review attacks deemed insignificant to ensure that a new understanding of the nature and scope of the attack does not elevate it to a reportable cyber incident.
Another important element will be determining when the ‘clock starts’ for notification. A covered entity is required to report a cyber incident no later than 72 hours after it “reasonably believes” that one has occurred. However CISA defines reasonable belief, communication processes will have to be nimble enough to react quickly to changes related to the understanding of the security incident.
For organizations that do not yet have processes defined for communicating about cybersecurity issues with external stakeholders, government or otherwise, the new law may be the necessary driver to implement an appropriate strategy. Multiple cybersecurity and IT control frameworks such as NIST-CSF, NIST 800-53 v5, ISO27001, or COBIT 2019 provide guidance and examples that help to establish procedures for communicating security incidents in an appropriate manner.
With each new cyber security breach and ransomware attack, the need for a coordinated, substantive response becomes more evident. It remains to be seen whether this new law will live up to expectations, but every organization should monitor developments to see how it will affect their operations. For more information about cybersecurity response plans, contact us. We are here to help.
About the Author
Trip Hillman, CISSP, CISA, CEH, GPEN, GCFE, GSNA
Trip Hillman is a partner in Weaver’s IT Advisory practice. Focused on evaluating cybersecurity in a broad range of IT environments, he has consulted with Fortune 100 companies, private equity groups, small enterprises and government entities alike on security and compliance.