“If you can’t measure it, you can’t manage it.” Peter Drucker
In this post, we are looking at current cyber reporting requirements in the US and the latest progress in this field.
The US government largely relies on voluntary reporting, which only captures a fraction of the attacks that occur. Current reporting is fragmented and incomplete across multiple federal agencies, including the Cybersecurity and Infrastructure Agency (CISA), the FBI, and the Treasury Department’s Financial Crimes Enforcement Network (FinCEN), among others. The CISA, which belongs to the Homeland Security Department, was created in 2018 specifically to reduce risk to the nation’s cyber and physical infrastructure. While the agencies state that they share data with each other, the effectiveness of such communication remains questionable. This lack of data on ransomware attacks and payments prevents the effective fight against the attacks and the effective assistance of victims to prevent or recover from these attacks. It also means that legislators are unsure of what policies to pass and whether existing policies are addressing the issue.
Therefore, regulators have taken steps to address the rising threat of ransomware attacks by issuing new and expanding existing, regulations. The growing concerns of potential cyberattacks in retaliation for the U.S. response to Russia’s invasion of Ukraine also fostered this initiative.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), as part of the Strengthening American Cybersecurity Act of 2022, became law on March 15, 2022. In short, it mandates that critical infrastructure operators report to the CISA within 72 hours of a substantial cyber-attack and within 24 hours if the organization made a ransomware payment (regardless of whether the ransomware attack met the threshold of a substantial cyber incident).
CISA will have up to two years to develop and implement the regulations in consultation with various entities and stakeholders and publish them in a Notice of Proposed Rulemaking (NPRM). Afterwards, it will have another 18 months to issue a Final Rule setting forth the regulatory requirements. CISA has released a Request for Information (RFI) soliciting public input for 60 days, starting 12. September 2022, on potential aspects of the proposed regulation.
CISA will have to define which entities will be required to report cyber incidents and what cyber incidents will be required to be reported. It is also CISA’s task to establish the specific content required in cyber incident and ransomware payment reports
Beyond the Cyber Incident and Ransom Payment Reporting Requirements, CIRCIA includes several other initiatives:
- Federal Incident Report Sharing: Any federal entity receiving a report on a cyber incident and/or ransom payment after the effective date of the final rule must share that report with CISA within 24 hours. CISA will also have to make information received under CIRCIA available to certain federal agencies within 24 hours.
- The Cyber Incident Reporting Council will coordinate, de-conflict, and harmonize federal incident reporting requirements.
- The Ransomware Vulnerability Warning Pilot Program will identify systems with vulnerabilities to ransomware attacks and may notify the owners of those systems.
- The Joint Ransomware Task Force will build on the work that has already begun to coordinate an ongoing nationwide campaign against ransomware attacks. CISA will continue working closely with the FBI and the National Cyber Director to build the task force.
While covered cyber incident and ransomware payment reporting under CIRCIA will not be required until the Final Rule implementing CIRCIA’s reporting requirements goes into effect, CISA encourages critical infrastructure owners and operators to voluntarily share with CISA information on cyber incidents prior to the effective date of the final rule.
While the passing and the signing into law of the CIRCIA is certainly an improvement, it only covers critical infrastructure organizations. In addition, it may be years until the regulations officially become law.
Regarding public companies, the U.S. Securities and Exchange Commission (SEC) requires them to report material cybersecurity risks and incidents that trigger disclosure obligations. However, on March 9, 2022, the SEC proposed new Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.
The proposal came after findings that current disclosure practices are inadequate. The proposed rules recognize that cybersecurity is an emerging risk for public companies and that both companies and investors need to evaluate public companies’ cybersecurity practices and incident reporting.
The proposed rules, if adopted, will require each public company to
- report material cybersecurity incidents within four business days after determining that it has experienced such incidents;
- provide periodic updates of previously reported cybersecurity incidents;
- describe its cybersecurity risk management policies and procedures;
- disclose its cybersecurity governance practices; and
- disclose cybersecurity expertise on the board of directors.
The comment period on the Proposed Rules ended on May 9, 2022. Further Commission action on this topic is awaited.