On March 15, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law as part of the larger 2022 Consolidated Appropriations Act. Known as the Cyber Incident Reporting Act, the law requires certain critical infrastructure entities to swiftly report specific cyber incidents and ransomware payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Interos believes this legislation is a significant step forward in improving national security accountability, especially in supply chain attacks. Let’s look at some of the key reasons why it will help to promote resilience in cyber security.
Mandatory reporting forces organizations to address cyber security problems
Many organizations have significant cybersecurity problems. While many companies make a substantial effort to promote resilience in cyber security, others don’t.
Recent supply chain attacks have exposed organizations with little or no cyber-security staff and budgets. These companies gamble on the assumption that they will not have a cyber problem, or no one will find out about it. Mandatory reporting will remove that flawed approach and force organizations to face proper scrutiny for their lack of effort, which prevents your competitors from benefiting from scrimping on cyber efforts.
Mandatory reporting promotes a straightforward focus on resilience in cyber security
In the past few years, many organizations have decided not to report cyber incidents for various reasons, primarily legal. They often count on an indifferent public and lax enforcement environment.
Mandatory reporting makes the response a standard procedure for all organizations. Before mandatory reporting, executives could decide not to report incidents, hide severe internal issues, and reasonably expect to face only minor fines. Often they were unpunished in any situation. An organization that does not report can now face severe financial penalties and civil action for non-compliance. Companies can now focus on mitigation rather than deciding how to respond to a cyber incident, saving you time and money.
Mandatory reporting will help future legislation reflect actual threats faced by organizations
Organizations will often complain about governments proposing ineffective and challenging laws to comply with within the real world. However, it can be impossible to create legislation that improves national security and benefits the private sector without a correct view of cyber threats. Governments need to know what the real cyber threats are to legislate effectively, which ultimately helps your organization and industry.
Mandatory reporting forces organizations to prioritize compliance over secrecy
When attacks happen, organizations should act quickly and decisively to mitigate the threat. This effort includes policy changes, hardware changes, personnel changes, using a modern operational resilience platform, and more. It can be difficult for the cyber team to act freely without mandatory reporting. Imagine trying to order thousands of laptop hard drives because of a successful ransomware attack and being told by your leadership to slow down the replacement effort because it would arouse suspicions.
Other issues include asking internal stakeholders to make significant changes immediately without telling them why it is critical. It is also impossible to reach out for help from public forums, vendors, industry groups, government resources, etc. Mandatory reporting allows cyber response teams to act without constraint, which will mitigate the threat in the fastest manner possible.
Mandatory reporting forces vendors to be more responsive to vulnerabilities
Unfortunately, bad publicity about a vendor’s cyber vulnerabilities and the resulting loss of sales are the primary drivers to fix these defects. Mandatory reporting brings these problems into the spotlight, forcing vendors to make fixes promptly.
Mandatory reporting gives your organization awareness of a vendor’s issues. If issues have not yet been announced, or no customer has complained publicly, vendors would likely prefer to roll out new features rather than fix existing problems. Unless you become aware of a vendor’s issues, you cannot be proactive in patching or reevaluating your relationship with that vendor before you suffer an attack.
Conclusion: Standing together to promote resilience in cyber security
Mandatory reporting of cyber incidents will continue to be a controversial subject. Still, Interos believes compliance is in everyone’s best interest, and everyone should join together to report these events in a standard and timely manner.
The new legislation’s reporting requirement gives an organization the freedom to respond as it is an expectation, not a choice, and an opportunity to educate the public and government on how outside forces plague their company, while also encouraging companies to have better cybersecurity solutions and vendors to resolve issues faster. This sea change will benefit your organization.
To see a demo of the Interos Operational Resilience platform, please check out https://www.interos.ai/resources/interos-product-overview/.