Page 23 - Cyber Defense eMagazine September 2022
P. 23
Critically Important Organization?
Now It Is Critical to Report Security Incidents
By Trip Hillman, Partner, IT Advisory Services, Weaver
Reporting cybersecurity attacks and ransomware payments will no longer be optional for certain
businesses under a new federal law. The Cyber Incident Reporting Act of 2022, signed into law by
President Biden on March 15, 2022, mandates that covered entities inform the Cybersecurity and
Infrastructure Security Agency (CISA) within 72 hours of a ‘significant’ cyber incident. CISA will analyze
reports from covered entities and produce and distribute anonymized bulletins to government agencies
and key technology and cybersecurity companies, hopefully in time to prevent other businesses from
falling victim to similar attacks. Additionally, ransomware payments will need to be reported within 24
hours.
With the enactment of this law, one key takeaway for organizations is the overall change in tone from
‘you should report…’ to a ‘you will report.’ However, key aspects of how this will play out, such as the
necessary content, method for reporting, reporting distribution and retention and process for amending
or recalling submissions have been left for CISA to determine. This gives CISA the flexibility to adjust
and revise rules as new threats appear and existing ones evolve rather than having to wait for Congress
to enact new legislation.
Cyber Defense eMagazine – September 2022 Edition 23
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.