Cyber incident reporting 

What is the Computer-Security Incident Notification rule?

The Computer-Security Incident Notification rule, finalized in November 2021, requires notification of computer-security incidents to a financial services organization’s primary regulator as soon as possible following discovery of the incident and no later than 36 hours after identifying the incident. Under this rule, financial services organizations also are required to notify customers as soon as possible if the incident has caused or might cause “material service disruption or degradation for four or more hours.”

The Computer-Security Incident Notification rule clearly defines key terms, including the definition of a computer-security incident: “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” The specificity of this definition is critical as it determines when an event must be reported and puts strict boundaries on what constitutes an incident.

What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?

CIRCIA originated as part of the Strengthening American Cybersecurity Act of 2022, which the House and Senate unanimously passed in early March 2022. Congress then attached the reporting clause of the original bill to the Consolidated Appropriations Act of 2022, which President Biden signed it into law on March 15, 2022.

CIRCIA addresses cybersecurity concerns related to critical infrastructure and the federal government and expands the current responsibilities of the Cybersecurity and Infrastructure Security Agency (CISA) by adding the additional role of risk management and data collection for all cyber-related concerns surrounding critical U.S. infrastructure. CISA is now tasked with performing continual assessment of federal risk posture and with the creation of a breach notification program that will require federal civilian agencies to report all significant cyber incidents to CISA within 72 hours of their occurrence. Any payment of ransomware demands requires notification within 24 hours of payment.

In terms of defining a significant cyber incident, beyond the general definition included in the law, CISA is working toward specifics and will issue details within the next 24 months and finalize the definition within the following 18 months. Critical infrastructure and financial services organizations need to strategically plan for and stay abreast of news and requirements as they are communicated by CISA. Doing so can shorten the runway to compliance once formal requirements are announced.

Passage of CIRCIA means that CISA now has the authority to collect and review information surrounding cyber incidents across all critical infrastructure sectors including, but not limited to:

• Financial services
• IT
• Healthcare and public health
• Communications
• Energy
• Food and agriculture

Now that CISA is the centralized source of information regarding cyber incidents involving critical U.S. infrastructure, the agency can create metrics; analyze tools, techniques, and patterns of pervasive threat actors; and develop playbooks and techniques on response times to educate all participating sectors. Access to this information will provide all involved entities real-time awareness of current cyberthreats and a heads-up awareness of what their immediate concerns should be and where they should allocate their IT and security resources and efforts.

How does the guidance compare?

The technical requirements to reach compliance with CIRCIA are similar to those of the Computer-Security Incident Notification rule. However, included organizations will need to establish a plan and protocol regarding the handling of the CISA notification while also accounting for any prolonged engagement with CISA in the event of a cyber incident.

Comparing cyber incident reporting guidance

What timelines should organizations know?

The Computer-Security Incident Notification rule is effective April 1, 2022, with full compliance expected by May 1, 2022. Financial services professionals will need to continue to devote time and resources to complying with this rule given the compliance date is now in effect. 

On the other end of the spectrum, CIRCIA identifies a 24-month timeline during which CISA is required to outline the program and important definitions such as:

• What constitutes a significant cyber incident?
• What data is required to be reported by the reporting entity as a result of a breach or ransomware payment?

Following this 24-month period, CISA will then have 18 months to finalize the proposed rules. In total, this new reporting requirement could be implemented as far out as three and a half years from March 15, 2022.

Why does cyber incident reporting matter?

These new regulations demonstrate that the federal government will have an ever-increasing involvement in improving U.S. cybersecurity. With the growing threat landscape, including threats emerging from the war in Ukraine, critical infrastructure and financial services organizations likely will incur intense scrutiny from regulators and lawmakers. 

Organizations should take this continually evolving situation into consideration and begin strategically planning future adjustments to any relevant policies and procedures such as incident response programs. Coupling this action with further mock testing situations can also help improve overall information security programs. 

It is challenging for any organization to pivot and track significant regulatory adjustments and expectations associated with incident response and cybersecurity. As such, financial services and other critical infrastructure organizations shouldn't hesitate to reach out to a trusted adviser or consultant to assist them on this journey.