Details on the cyber breach reporting law

Cyber Incident Reporting for Critical Infrastructure Act

On March 15, 2022, President Biden singed into law the Cyber Incident Reporting for Critical Infrastructure 2022 with included the Consolidated Appropriations Act of 2022, which means mandatory breach reporting and no longer voluntary disclosures of cyber incidents. While cyber attackers don’t shy away from disclosing how to hack a system or the newest way that they were able to make it through a secured network; companies of all industries and types haven’t been as inclined to disclose information when breach incidents take place. There are different reasons for the lack of sharing on cyber incidents, but now that there is mandatory breach disclosure alongside offering protections things can take a turn for the better. A layout of who is affected by the cyber incident reporting law and what it entails can help you prepare accordingly. What to report  Cyber incidents that threaten national security interests, foreign relations, or the economy of the United States, or the public confidence, civil liberties, or public health and safety of the people of the United States, as decided by the Secretary of the Department of Homeland Security. Who must report The 16 critical infrastructure entities defined in Presidential Policy Directive 21.  These include financial services, information technology, energy, public health, food and agriculture, critical manufacturing, chemicals, communications, defense industrial base, and emergency services, to name some of them. To whom to report cyber incidents Cybersecurity and Infrastructure Security Agency (CISA) When to report - what time frame Within, and no later than, 72 hours from the moment the entity reasonably believes that it has been subject to a cyber incident, that breach has occurred. Reporting is ongoing until the cyber incident has been fully mitigated and resolved. This means that all new information, different information, and ransom payment must be disclosed by the entity for as long as they are working on mitigating and resolving the cyber incident. Ransom payment must be reported Whether or not the cyber incident is a covered incident defined above (in the section ‘what to report’), ransom payment(s) must be reported by a covered entity defined in Presidential Policy Directive 21 within 24 hours after a payment has been made. To be clear: You must report to CISA if you make a ransom payment.  You must do this no later than 24 hours after you have made a payment. Independently from what type of business you are, you could be affected by the law.  With this in mind, make sure you pay attention to the rulemaking process and plan accordingly. Remember that cyber incident reporting isn’t only about compliance, it helps a company to have government assistance.  Working with law enforcement contacts keeps a company moving forward in a cyber incident investigation.  Governing bodies such as the FBI and US Secret Service (USSS) can help a business in real time to stop an attack from doing more damage and bring justice when the cyber criminals are apprehended. Enhancing your breach reporting capabilities saves your business and extends to saving lives.  It may seem like a stretch for some, but it is not when you consider what can happen when a hacker enters the network of our city’s power grid. For as much as some people may frown upon this cyber reporting law, it allows for sharing information that leads national security and the private sector to keep cyber readiness an active priority. It connects the dots in a way that creates a collective incident response. This means people learn to cooperate, to count on each other, to stay informed and learn to be proactive with a well-laid out incident response plan. Because the cyber notification also provides liability protection to victims, this encourages companies and governments to put all their pieces together and handle the threat in unison.  The fear of reporting goes away. The reporting law extends liability protection for covered entities that submit a report; privacy and civil liberties protections limit the dissemination of any personal or identifying information collected in conjunction with reporting requirements; an exemption under the Freedom of Information Act for reports and provisions ensure that reports to the CISA don’t undermine trade secret and attorney-client privilege protections; and no report or document submitted to comply with the reporting law may be received in evidence, subject to discovery or otherwise used in any trial, hearing or other proceeding. The cyber incident law supports better cybersecurity practices because it requires CISA to organize, aggregate and anonymize the information from the cyber incident reports. They must do this in a way that makes the information actionable for the private sector.  This includes for cyber research organizations. When transparency is a constant and information is accurate, effectiveness can’t be missed.  Consider how the law states the information accumulated must be used.

• Assessment of effectiveness of controls over cybersecurity.
• Inventory of tactics, techniques and procedures used to overcome controls.
• Impacts on public health and safety.
• Tracking of ransom payments, including the use of virtual currencies.
• Up-to-date and actionable reports of cyber incident campaigns and trends.
• Recommendations on prevention or mitigation of similar cyber incidents. Briefings on the cyber threat landscape with actionable recommendations and alerts to the private sector.

  Additional legislation could help to improve cyber incident reporting if it were to expand the protections for reporting to other agencies and not just CISA, and if it allowed the use of the cyber incident information aggregated to be used in real-time by law enforcement and legal processes. Pay attention to the rulemaking process if you want to express feedback or engage in how it moves along.  The law gives the CISA director broad authority to develop rules within 24 months from the date of the enactment of the law.   The main questions that will be addressed during the rulemaking process are the following four.   How likely is your organization to be covered? The criteria for covered entities in critical infrastructures are going to be laid out.

• Disruption or compromise to national security, economic security or public health and safety.
• The likelihood such an entity may be targeted.
• The extent to which damage, disruption or unauthorized access to the entity will enable disruption of the reliable operation of critical infrastructure.

  What constitutes a significant cyber incident? The minimum thresholds are also set up.

• A cyber incident that creates a loss of confidentiality, integrity or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.
• A disruption of business or industrial operations against an information system or network or an operational technology system or process.
• Unauthorized access or disruption of business or industrial operations due to loss of service brought about by a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

The criteria for consideration include: the sophistication or novelty of the tactics used to conduct the cyber incident, as well as the type, volume and sensitivity of the data; the number of people directly or indirectly affected, and the potential impact on industrial control systems.   What you should be prepared to report? You will report all information to the extent applicable and that is available to you.

• A description of the function of the affected information systems, networks or devices affected.
• An estimated date of the incident.
• A description of the unauthorized access.
• The impact to the operations.
• A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques and procedures used in the incident.
• Any identifying or contact information related to each actor believed to be responsible.
• The categories of information that were accessed or acquired by an unauthorized person.

  When it comes to ransomware payment reporting you will be asked to include: the ransom payment demand, including the type of currency or other commodity requested; the ransom payment instructions, as well as the address of the recipient; and lastly, the amount of the ransom payment.  The rulemaking process will also discuss the manner and form of reports in greater detail.   What if you’re already required to report information to a different government agency? An entity will not be required by law, regulation or contract to report similar information to another federal agency within a similar timeframe when CISA has an agreement in place that satisfies the requirements of the cyber incident law. The exemption for the covered entity takes place only once an agency agreement and sharing mechanism is established between the agency and the respective federal agency. With this basic outline, we hope you can start getting ahead of the new cyber incident law and stay on top of the rulemaking process.   Schedule your free cybersecurity consultation if there’s anything we can do to help: https://calendly.com/ncxgroup