Page 25 - Cyber Defense eMagazine September 2022
P. 25
• Factors and metrics to consider in evaluating whether an incident is reportable
• Data to be gathered for submission to CISA
• Process to communicate with CISA
• Personnel or roles with responsibilities related to evaluating and reporting an incident
Organizations may need to include a frequent feedback loop in their external communication processes,
as it is possible that a cybersecurity event may not become reportable until hours or even days later. An
attack may initially appear to fall below the definition of ‘significant’ per the CISA, only to become
significant and reportable upon further analysis or as new facts, such as an unexpected disclosure of
data, come to light. Covered entities should implement processes to periodically review attacks deemed
insignificant to ensure that a new understanding of the nature and scope of the attack does not elevate it
to a reportable cyber incident.
Another important element will be determining when the ‘clock starts’ for notification. A covered entity is
required to report a cyber incident no later than 72 hours after it “reasonably believes” that one has
occurred. However CISA defines reasonable belief, communication processes will have to be nimble
enough to react quickly to changes related to the understanding of the security incident.
For organizations that do not yet have processes defined for communicating about cybersecurity issues
with external stakeholders, government or otherwise, the new law may be the necessary driver to
implement an appropriate strategy. Multiple cybersecurity and IT control frameworks such as NIST-CSF,
NIST 800-53 v5, ISO27001, or COBIT 2019 provide guidance and examples that help to establish
procedures for communicating security incidents in an appropriate manner.
With each new cyber security breach and ransomware attack, the need for a coordinated, substantive
response becomes more evident. It remains to be seen whether this new law will live up to expectations,
but every organization should monitor developments to see how it will affect their operations. For more
information about cybersecurity response plans, contact us. We are here to help.
About the Author
Trip Hillman, CISSP, CISA, CEH, GPEN, GCFE, GSNA
Trip Hillman is a partner in Weaver’s IT Advisory practice. Focused on
evaluating cybersecurity in a broad range of IT environments, he has
consulted with Fortune 100 companies, private equity groups, small
enterprises and government entities alike on security and compliance.
Cyber Defense eMagazine – September 2022 Edition 25
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.