Critically Important Organization?

            Now It Is Critical to Report Security Incidents

            By Trip Hillman, Partner, IT Advisory Services, Weaver



            Reporting  cybersecurity  attacks  and  ransomware  payments  will  no  longer  be  optional  for  certain
            businesses  under  a  new  federal  law.  The  Cyber  Incident  Reporting  Act  of  2022,  signed  into  law  by
            President  Biden  on  March  15,  2022,  mandates  that  covered  entities  inform  the  Cybersecurity  and
            Infrastructure Security Agency (CISA) within 72 hours of a ‘significant’ cyber incident. CISA will analyze
            reports from covered entities and produce and distribute anonymized bulletins to government agencies
            and key technology and cybersecurity companies, hopefully in time to prevent other businesses from
            falling victim to similar attacks. Additionally, ransomware payments will need to be reported within 24
            hours.

            With the enactment of this law, one key takeaway for organizations is the overall change in tone from
            ‘you should report…’ to a ‘you will report.’ However, key aspects of how this will play out, such as the
            necessary content, method for reporting, reporting distribution and retention and process for amending
            or recalling submissions have been left for CISA to determine. This gives CISA the flexibility to adjust
            and revise rules as new threats appear and existing ones evolve rather than having to wait for Congress
            to enact new legislation.






            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         23
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.