New CISA bill changes breach report timeline
In the unfortunate circumstance your business experiences a breach incident, you’ll have to report it if it meets certain criteria. The United States has steadily been working to improve its cybersecurity goals, strategies, and infrastructure. Part of that is policy requirements that organizations affected by breaches need to create post-breach reports, under the “national interest” umbrella.
The Biden administration and congress are currently working on various cybersecurity goals, primarily as a result of high-profile attacks in recent years. And, after the Russian invasion of Ukraine, the administration believes important US networks are at risk.
Why are breach reports needed?
In a typical scenario, breach reports are critical for analyzing the details of how said breach occurred. It also details damages and downtime. The idea is to understand the factors leading to the breach, so they can be fixed to prevent future intrusions. Scale that reporting to a federal level and you have the same idea.
The Cyber Incident Reporting Act is not new, and in fact, was introduced for congressional approval in October 2021. Now, it’s been approved by both House and Senate and will create new reporting rules for critical sectors. Currently, those sectors are defined as infrastructure, energy, and transportation, areas which have dealt with major cyberattacks in the past.
The basic requirements of the bill are simple: companies dealing with a serious cybersecurity breach must report it within 3 days of its occurrence. If a ransom payment was made, that must be reported within 24 hours. This is due largely in part with expansion and proliferation of ransomware, which exploded over the last 3 years. A notable example was the SolwarWinds breach.
Is my business affected?
A required breach report within 72 hours is stringent, though necessary. Of course, you’re understandably wondering if your enterprise is affected by these new requirements.
Once again, though, the new rules are directed at critical infrastructure.
If your enterprise works with energy, transportation, infrastructure, and/or highly sensitive information which could compromise national security, these requirements are aimed at you. Granted, these are very specific, and it’s unlikely you have anything to worry about.
Why are the requirements necessary?
The primary idea is the same with a post-breach report in your own network environment. In other words, creating said report to improve security defenses. With access to this info, both CISA and the FBI can develop proactive strategies for network defense. Additionally, they can establish patterns and behavior of how ransomware/malware gangs operate.
But what happens if affected organizations don’t report breaches? Essentially, the bill allows CISA to subpoena companies that do not report breaches or ransom payments, as required. Those in violation of the new rules could face penalties and investigations by the Department of Justice.
Given the new standards set for cybersecurity needs, it’s important to have an efficient method of report creation and delivery. It’s also possible in the future similar reporting rules will affect SMBs, though for now, no such bill exists.