Cyber Incident Reporting: What It Is, Why We Need It, What It Will Fix—and How Congress is Approaching the Issue, Part Two
In my previous post, I laid out the context for the current cyber incident reporting legislation proposed by Congress. Below is an analysis of the legislation itself.
What Legislation is Currently on the Table
The intent of a cyber incident reporting law is to establish a clear, unified set of requirements to communicate to the private sector when, how, what and to whom they need to disclose.
Let’s look at the current legislation up for debate: the Senate version, originally introduced as the Cyber Incident Reporting Act of 2021 and reintroduced as the Strengthening American Cybersecurity Act of 2022, and the House version, originally introduced as the Cyber Incident Reporting for Critical Infrastructure Act of 2021, both require critical infrastructure owners and operators to report a covered cyber incident to the Cybersecurity and Infrastructure Security Agency (CISA). For the Senate, this length is within 72 hours, and for the House, it is not yet determined.
It’s important to emphasize where the draft legislation’s focus is deliberately narrow. For example, the reporting requirement doesn’t apply to all businesses but only those deemed to be owners or operators of critical infrastructure. Similarly, not all cyber incidents will have to be reported—only those that meet a certain threshold of significance that has not yet been fully defined. While it’s possible to make some assumptions now—such as that “critical infrastructure” will likely mirror existing CISA definitions—many of the details remain to be fleshed out. That task is delegated to the director of CISA, who is instructed to work with other stakeholders to define threshold terms, build out the reporting process and establish a Cyber Incident Review Office within CISA to staff it.
Most notably, the Senate version includes additional language requiring businesses—except for “an individual or small business” of “fewer than 50 employees”—to report ransom payments issued in response to a cyber incident. Small and medium-sized businesses (SMBs) were excluded chiefly because it was feared that reporting requirements would be too onerous for their more limited capacity—though select SMBs that contract with the government or that are considered critical infrastructure still have to report.
What to Watch for if Congress’s Cyber Incident Reporting Bill Passes
If Congress passes this version or a similar form of cyber incident reporting legislation and it is signed into law, there’s a few things that we should keep an eye on.
First, we should expect to see some delay in getting the new mandates online. As mentioned, the draft legislation leaves many of the particulars of the reporting process to the Department of Homeland Security and director of CISA. It will take some time for the director to issue an interim rule on the process, submit it for public comment and modify it as necessary into a final rule.
Second, it will be worth paying attention to how CISA navigates the existing patchwork of reporting requirements. The draft legislation notes that the Cyber Incident Review Office will have to “consider any existing regulatory reporting requirements, similar in scope, purpose, and timing to the reporting requirements under this section, to which a covered entity may also be subject, and make efforts to harmonize the timing and contents of any such reports to the maximum extent practicable (House version, page 15.)” Here’s an example challenge: while the draft legislation sets the reporting period at 72 hours to CISA, the Securities and Exchange Commission (SEC) is currently discussing a rule that would require certain financial institutions to report within 48 hours directly to the SEC.
Third, there is the question of how each of the relevant definitions—“covered entity,” “covered incident,” etc.—will be interpreted by CISA, companies and company lawyers. For example, the draft currently states: “[t]he term ‘covered cyber incident’ means a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director … (Senate version, page 7).” Businesses will want clear definitions—perhaps with examples—to figure out what they have to disclose and what they don’t.
Fourth, is the question of capacity. Simply, are government and private sector actors going to have the ability to meet their reporting and hand-off requirements? CISA is already a busy agency, and this is another important task of many. How CISA and industry alike are able to streamline reporting, support affected entities and process new data inputs without losing capacity in other areas will be worth watching.
As a final note: it’s important to set expectations. Even a flawless incident reporting process won’t make the United States 100 percent secure overnight. But if these bills live up to their potential, the federal government should gain more insight into oncoming threats and active cyber incidents across the country. Armed with that information, it should be better positioned to allocate resources, issue warnings and updates to industry, and craft more responsive policies to deal with this dynamic environment.
Image credit: Maksim Kabakou