This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.
Ransomware attacks have become increasingly prevalent among state, local, tribal and territorial government entities and critical infrastructure organizations.
CISA's NPRM proposes four types of impacts that would result in an incident being classified as a substantial cyber incident and reportable.
CISA is further proposing that substantial cyber incidents include any incident regardless of cause - whether or not ransomware is involved.
CIRCIA requires covered entities to report to CISA any covered cyber incidents within 72 hours after the entity reasonably believes that the covered cyber incident has occurred.
Ransom payments made in response to a ransomware attack must be reported within 24 hours after the ransom payment has been made.
Clearly, CIRCIA places ransomware as a reporting priority.
A covered entity that experiences a covered cyber incident must report that incident to CISA. A covered entity that makes a ransom payment as the result of a ransomware attack must report that payment to CISA. Until a covered entity notifies CISA that the covered cyber incident in question has concluded and been fully mitigated and resolved, a covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if substantial new or different information becomes available.
A covered entity must submit an update or supplement to a previously submitted report on a covered cyber incident if the covered entity makes a ransom payment after submitting a Covered Cyber Incident Report.
Let's say your company discovers that it experienced a cyber incident two years ago, and the incident is ongoing.
You would still be required to submit a Covered Cyber Incident Report under the proposed rule because the incident has not concluded and has not been fully mitigated and resolved.
Another example would be a properly authorized penetration test that inadvertently results in a cyber incident with actual impacts.
Other good faith exclusions could be incidents related to security research testing.
Good faith security research generally stops at the point where the vulnerability can be demonstrated and should not typically result in an actual impactful incident.
In some cases, a covered entity, in response to genuine ransomware or other malicious incident, might decide to take action against itself, resulting in reportable level impacts, such as shutting down systems or operations.
This scenario is still considered to be a reportable substantial cyber incident.
In such a case, the incident itself was not perpetrated in good faith, and the threshold level impacts would not have occurred if there had been no attack.
Clearly, the covered entity intentionally triggered an impactful event in an attempt to minimize the potential damage of a cyber incident.
The discussion about ransomware reporting requirements is ongoing.
When even entities with robust cyber resilience are at risk, the final conclusions of CIRCIA will be on everyone's radar.
This Cyber News was published on securityintelligence.com. Publication date: Thu, 30 May 2024 17:43:05 +0000