As cyberattacks increase will regulators demand mandatory cyberattack reporting?
In one sector, they likely will.
Which one? Read on to find out.
Mandatory cyberattack reporting in critical infrastructure
Well, the shift is coming in the U.S. critical infrastructure sector.
Here, the Cybersecurity and Infrastructure Agency (CISA) has posted a notice of proposed rulemaking for the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
The Cyber Incident Reporting for Critical Infrastructure Act
So, what does CIRCIA do?
As the name suggests, CIRCIA, signed into law in 2022, empowers CISA to develop and implement regulations requiring certain critical infrastructure organizations (typically not small businesses) to report covered cyber incidents and ransomware payments.
The reporting is intended to enable CISA to better fulfill its mandate of understanding, managing, and mitigating threats to the nation’s cyber and physical infrastructure by:
- Rapidly deploying resources and rendering assistance to victims suffering attacks
- Analyzing incoming reporting across sectors to spot trends
- Quickly sharing that information with network defenders to warn other potential victims
Mandatory cyberattack reporting in the offing
What does the rule itself specify?
Per the rule, CIRCIA requires covered entities to report to CISA within certain prescribed timeframes (1) any covered cyber incidents, (2) ransom payments made in response to a ransomware attack, and (3) any substantial new or different information discovered related to a previously submitted report.
Most saliently, “substantial cyber incidents” are to be reported within 72 hours of discovery and ransom payments within 24.
What do these terms mean, though? CISA has proposed the following working definitions:
Cyber incident
An occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system.
Covered cyber incident
A substantial cyber incident experienced by a covered entity.
Substantial cyber incident
A cyber incident that leads to any of the following:
- A substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network
- A serious impact on the safety and resiliency of a covered entity's operational systems and processes
- A disruption of a covered entity's ability to engage in business or industrial operations, or deliver goods or services
- Unauthorized access to a covered entity's information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise
Potential penalties for non-compliance with mandatory cyberattack reporting
The law also authorizes the regulator to use various mechanisms to obtain information from a covered critical infrastructure organization that hasn’t been reported in accordance with reporting requirements. Those mechanisms include:
- The issuance of an RFI
- The issuance of a subpoena
- A referral to the Attorney General to bring a civil action in District Court to enforce a subpoena
- Acquisition, suspension, and debarment enforcement procedures
Hefty, indeed.
What happens now with mandatory cyberattack reporting?
What’s the timeline?
The official proposal was published in the Federal Register on 4 April of this year. From that time, the public had 60 days, until 3 June, to submit written comments before the regulations become law.
CISA, for its part, expects to publish the final rule within 18 months after the public comment period closes.
For covered critical infrastructure organizations, the task of beefing up cyber incident management and reporting, therefore, begins now. Where to start? Check out our Introductory Guide to Cyber Incident Management to find out.