•  Factors and metrics to consider in evaluating whether an incident is reportable
               •  Data to be gathered for submission to CISA
               •  Process to communicate with CISA
               •  Personnel or roles with responsibilities related to evaluating and reporting an incident

            Organizations may need to include a frequent feedback loop in their external communication processes,
            as it is possible that a cybersecurity event may not become reportable until hours or even days later. An
            attack  may  initially  appear  to  fall  below  the  definition  of  ‘significant’  per  the  CISA,  only  to  become
            significant and reportable upon further analysis or as new facts, such as an unexpected disclosure of
            data, come to light. Covered entities should implement processes to periodically review attacks deemed
            insignificant to ensure that a new understanding of the nature and scope of the attack does not elevate it
            to a reportable cyber incident.

            Another important element will be determining when the ‘clock starts’ for notification. A covered entity is
            required to report a cyber incident no later than 72 hours after it “reasonably believes” that one has
            occurred. However CISA defines reasonable belief, communication processes will have to  be nimble
            enough to react quickly to changes related to the understanding of the security incident.

            For organizations that do not yet have processes defined for communicating about cybersecurity issues
            with  external  stakeholders,  government  or  otherwise,  the  new  law  may  be  the  necessary  driver  to
            implement an appropriate strategy. Multiple cybersecurity and IT control frameworks such as NIST-CSF,
            NIST  800-53  v5,  ISO27001,  or  COBIT  2019  provide  guidance  and  examples  that  help  to  establish
            procedures for communicating security incidents in an appropriate manner.

            With each new cyber security breach and ransomware attack, the need for a coordinated, substantive
            response becomes more evident. It remains to be seen whether this new law will live up to expectations,
            but every organization should monitor developments to see how it will affect their operations. For more
            information about cybersecurity response plans, contact us. We are here to help.






            About the Author
                                        Trip Hillman, CISSP, CISA, CEH, GPEN, GCFE, GSNA


                                        Trip  Hillman  is  a  partner  in  Weaver’s  IT  Advisory  practice.  Focused  on
                                        evaluating cybersecurity in  a  broad  range  of  IT  environments,  he  has
                                        consulted  with  Fortune  100  companies, private  equity  groups,  small
                                        enterprises and government entities alike on security and compliance.














            Cyber Defense eMagazine – September 2022 Edition                                                                                                                                                                                                         25
            Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.