June 30, 2022
When it comes to cybercrimes, it’s easy to focus on an attack’s impact for your business. How
quickly can you get your data back? How can you defend best against the attack?
However, when considering cybersecurity there’s another area that deserves attention:
government cyber incident reporting requirements.
If you don’t comply with reporting law, you can face hefty fines and loss of customer trust on top
of the other damage caused by the attack. It’s critical to stay compliant!
While governmental reporting requirements are nothing new, the Cyber Incident Reporting for
Critical Infrastructure Act of 2022 (CIRCIA) increases the need for quick reporting action.
This law requires all companies in important fields to report a cyber incident within 72 hours of
its discovery, and to report a ransomware payment within 24 hours.
This legislation, however, is only the tip of the iceberg when it comes to cybersecurity reporting
requirements.
In this article, we’ll cover the legal basics, what you’re responsible for, and what you need to do
to keep your company safe and legally compliant in the case of a security breach.
Cybersecurity incident definition
In the most basic terms, a cybersecurity incident is any event that breaches your cybersecurity
defenses with nefarious purposes. However, in the legal realm, most laws don’t apply to every
single incident, however trivial.
For example, CIRCIA defines a cyber incident as a substantial attack that “leads to substantial
loss of confidentiality, integrity, or availability of such information system or network” or causes
“a disruption of business or industrial operations, including due to a denial of service attack,
ransomware attack, or exploitation of a zero day vulnerability.”
In other words, not every security breach falls under cyber incident reporting requirements.
Instead, governmental regulations come into play when the attack is significant and
compromises sensitive data or cripples your operating capacity.
What is cyber incident reporting?
Cyber incident reporting requires many companies to file a detailed report to a government
agency about any significant cyberattack.
Usually, the report goes to the Department of Homeland Security (DHS) or the Cybersecurity &
Infrastructure Security Agency (CISA).
For the 2022 CISA, reports must include a description of the attack, the systems harmed, and
what types of vulnerabilities the attackers exploited.
Other types of companies might be required to report incidents to the FDIC (banks) or the FCC
(communications companies).
The bottom line? Check the federal guidelines for your industry so you know what to report and
who to send your report to.
Examples of a cyber incident
An incident that requires reporting might take one of many forms.
A ransomware attack, for example, is a common cyber vulnerability which can cause
extraordinary damages. The 2017 WannaCry attacks, for instance, locked companies like FedEx
and Nissan out of their own systems and demanded payment.
While some attackers demand money, others simply release sensitive information to the public.
This was the case with the 2021 RockYou2021 attack, another example of a cyber incident that
merits reporting.
In this attack, hackers released several billion passwords to the public. Any similar attack that
compromises important customer data should be reported as a cyber incident.
These are just a few common examples of cyber incidents. To be sure you’re in compliance, stay
up-to-date on your industry guidelines and report as soon as possible if you experience a
security breach.
When should security incidents be reported?
Under CIRCIA, cyber incidents must be reported within 72 hours. This means that within 3 days
from the time you learn of a cyber attack, you need to complete and submit a government report
covering the details of your attack.
Moreover, if you experience a ransomware attack and pay to get your data or access back, you
need to report that payment within 24 hours.
Other federal guidelines that might apply to your business, like the 2021 Computer-Security
Incident Notification rule, require notification no later than 36 hours after you become aware of
the incident.
This rule applies to companies in the financial services sector, so if you’re a bank or other
financing company, you’ll need to ensure that you report as promptly as possible.
What is the difference between an event and an incident?
In cybersecurity terms, an event is a general word for anything that threatens the security of your
data or systems. This can be a foiled attempt to exploit a security vulnerability, or it can be a
full-blown malware attack that successfully infects your entire system.
In contrast, an incident is a specific type of security event. To qualify as an incident, it must
negatively affect business operations or data storage. In other words, if a security event is
serious enough, it might become an incident.
What is an incident response plan?
An incident response plan is any type of formulated procedure that governs how you respond to
a security threat.
The procedure can include instructions on how to prevent an attack, how to respond to an
ongoing threat, and steps to take after the attack (such as ensuring proper documentation and
reporting).
An incident response plan is an important tool to help you work through security incidents
before they happen, which allows you to respond quickly and decisively if an attack ever occurs.
The seven basic elements of an incident response plan
- Preparation – The first essential step in a good incident response plan is preparation. Decide how you will have your employees prepare for an attack, develop and distribute outage prevention and
control checklists, and ensure that everyone in your company is on the same page. - Identification – When an incident is happening, you want your employees to be able to identify it as soon as possible, before too much damage can be done. Your incident response plan should include
guidelines and training to help workers find suspicious activity and alert management as quickly
as possible. - Containment – Once you’ve discovered a security threat, you should contain it as soon as possible. Develop a
plan that focuses on protecting the most critical systems and data, while isolating the affected
section. - Investigation – You need to know what happened: what caused an incident, how your systems were breached, and how much damage was done. Make sure you have plans for investigation in your incident response plan.
- Eradication – Now that you’ve discovered the source of the incident, you need to get rid of it. Several approaches include: deploying patches, reprogramming systems, or transferring your data to a safer cloud.
In this step, you should also include processes for notifying both customers and a government
agency, if appropriate.
Make sure you check the laws carefully and lay out the thresholds for when an incident must be
reported! - Recovery – Restore customer trust with a system that’s designed to get your company back to normal operations. This might include getting re-certified to ensure that everything is safe.
- Follow-up – You should always use a security incident as a lesson to help you chart a better course for the future. Make sure you keep careful notes at each step of the incident response process and
review them to see what you did well, what you could improve, and how you can prevent such
an incident from happening again.
When it comes to cyber incident reporting requirements, being prepared will take you far.
Know the laws and how they apply to your business, and have a plan for what you’ll do in case
of an incident. Don’t wait until you’re actually under attack to read up on legal guidelines and
regulations!
The world of cyber compliance can be complex and confusing. If you’re struggling to understand
which laws apply to you and how to create a comprehensive plan, we understand!
At Expedient Technology Solutions, we can help develop a security plan for your business that
takes into account the legal issues. Contact us today to learn more!