What is the Computer-Security Incident Notification rule?
The Computer-Security Incident Notification rule, finalized in November 2021, requires notification of computer-security incidents to a financial services organization’s primary regulator as soon as possible following discovery of the incident and no later than 36 hours after identifying the incident. Under this rule, financial services organizations also are required to notify customers as soon as possible if the incident has caused or might cause “material service disruption or degradation for four or more hours.”
The Computer-Security Incident Notification rule clearly defines key terms, including the definition of a computer-security incident: “an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.” The specificity of this definition is critical as it determines when an event must be reported and puts strict boundaries on what constitutes an incident.
What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
CIRCIA originated as part of the Strengthening American Cybersecurity Act of 2022, which the House and Senate unanimously passed in early March 2022. Congress then attached the reporting clause of the original bill to the Consolidated Appropriations Act of 2022, which President Biden signed it into law on March 15, 2022.
CIRCIA addresses cybersecurity concerns related to critical infrastructure and the federal government and expands the current responsibilities of the Cybersecurity and Infrastructure Security Agency (CISA) by adding the additional role of risk management and data collection for all cyber-related concerns surrounding critical U.S. infrastructure. CISA is now tasked with performing continual assessment of federal risk posture and with the creation of a breach notification program that will require federal civilian agencies to report all significant cyber incidents to CISA within 72 hours of their occurrence. Any payment of ransomware demands requires notification within 24 hours of payment.
In terms of defining a significant cyber incident, beyond the general definition included in the law, CISA is working toward specifics and will issue details within the next 24 months and finalize the definition within the following 18 months. Critical infrastructure and financial services organizations need to strategically plan for and stay abreast of news and requirements as they are communicated by CISA. Doing so can shorten the runway to compliance once formal requirements are announced.
Passage of CIRCIA means that CISA now has the authority to collect and review information surrounding cyber incidents across all critical infrastructure sectors including, but not limited to:
- Financial services
- IT
- Healthcare and public health
- Communications
- Energy
- Food and agriculture
Now that CISA is the centralized source of information regarding cyber incidents involving critical U.S. infrastructure, the agency can create metrics; analyze tools, techniques, and patterns of pervasive threat actors; and develop playbooks and techniques on response times to educate all participating sectors. Access to this information will provide all involved entities real-time awareness of current cyberthreats and a heads-up awareness of what their immediate concerns should be and where they should allocate their IT and security resources and efforts.
How does the guidance compare?
The technical requirements to reach compliance with CIRCIA are similar to those of the Computer-Security Incident Notification rule. However, included organizations will need to establish a plan and protocol regarding the handling of the CISA notification while also accounting for any prolonged engagement with CISA in the event of a cyber incident.
Comparing cyber incident reporting guidance