X-Industry

Reporting Substantial Cyber Incidents

Posted by Jim McKee on October 2, 2024 at 12:00pm

12984594655?profile=RESIZE_400xThe US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is a significant piece of legislation passed in 2022, designed to tackle cyber incidents affecting critical infrastructure.  While its full impact is still unknown, CIRCIA presents new requirements for incident reporting that cyber risk professionals must understand and prepare for.

CIRCIA was created to help the US government coordinate responses to significant cyber incidents that affect essential services.  Its goal was to improve cybersecurity across critical sectors and ensure timely incident reporting so appropriate measures could be taken to mitigate the harm.  This is not about adding another layer of business regulation; CIRCIA is vital to defending national security.

What does the law require?  Under CIRCIA, any covered entity that experiences a substantial cyber incident must report it to the US Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of reasonably believing an incident occurred.  A report must be submitted within 24 hours if a ransomware payment is made. These timelines are tight, especially considering that many organizations take much longer to identify and fully assess an

What is a covered entity?  CIRCIA focuses on critical infrastructure across 16 sectors, including energy, healthcare, financial services, water systems, transportation, and IT.  You are likely considered a covered entity if your organization operates within one of these sectors.  It's important to note that smaller businesses may be excluded, but any large organization within these sectors will be subject to the new reporting rules.

What is a "substantial" cyber incident?  That is where it gets confusing. CIRCIA defines a substantial cyber incident as one that causes significant loss of confidentiality, integrity, or availability of a system or network or seriously impacts the safety and resiliency of a covered entity's operations; it is not just a minor disruption.  The law points specifically to situations like significant ransomware attacks, data breaches facilitated by third-party providers, and supply chain compromises.  This makes it clear that the focus is on incidents that pose a severe threat, not small, everyday cyber issues like phishing attempts or minor vulnerabilities.

CIRCIA also requires reporting on any ransomware payments made.  Even if the ransomware attack does not meet the threshold for being a "substantial” incident, the fact that a payment was made triggers a mandatory report to CISA.  This provision aims to give the government better visibility into the scope of ransomware activity, which has been increasing in recent years.   To streamline reporting, a joint report can be submitted if both a cyber incident and a ransom payment occur.

The law is not just concerned with getting reports. It also wants to make sure the information is used correctly and protected.  CISA can use the information provided in five key ways:

  1. For cybersecurity purposes
  2. To identify threats and vulnerabilities
  3. To prevent or mitigate severe economic harm or bodily harm
  4. To investigate threats to minors
  5. To prosecute cybercrime, including fraud and espionage

Outside these uses, CISA is prohibited from sharing or using the information in ways that would harm the reporting entity.  This includes protections from being penalized or subject to regulatory action based solely on the incident report.  The goal is to encourage openness and transparency in reporting without fear of retribution.

But here is the catch: filing these reports will take some serious work. The law specifies that entities must provide detailed information about the incident, including:

  1. The systems affected
  2. The nature of the attack
  3. Any unauthorized access
  4. Steps taken to mitigate the damage

It even requires details about third-party providers that might have been involved.  That means organizations must document their incidents thoroughly and be ready to submit updates until the situation is fully resolved.  Additionally, covered entities that do not meet their reporting obligations could face fines, and they must also preserve records related to an incident for up to five years.  This makes it essential for organizations to respond to incidents, keep good records, and ensure that incident reports are complete and accurate.

Preparing for a CIRCIA disclosure:

  • First, you will need to assess whether your organization falls within the law's scope. You are likely covered if you're in one of the 16 critical infrastructure sectors and meet the size thresholds. Work with your legal team to confirm this.
  • Second, update your incident response plans. Ensure they reflect the new reporting requirements, especially the tight 72-hour window for incident reporting. This will likely require coordination across multiple teams in your organization, from IT and security to legal and compliance.
  • Third, develop a process for determining when an incident is "substantial." The definition provided by CIRCIA is broad, so it is critical to establish internal guidelines that help you assess whether an incident meets the reporting threshold. You do not want to over-report minor issues, but you also do not want to fail to report something that CISA would consider substantial.
  • Fourth, be ready to handle ransom payment reporting. Even if you have never paid a ransom before, it is important to have a plan in place for handling a ransomware attack and ensuring compliance with the 24-hour reporting requirement if a payment is made.

The good news (Ha!) is that CISA is committed to helping organizations navigate this new requirement.  While CIRCIA reporting may seem like an additional burden, it is about improving national security.  As cyber incidents become more common and damaging, the government and critical infrastructure organizations must work together to respond quickly and effectively.  All internet users should want much better digital protection than we have today. Filing reports is a necessary step in that direction.

In the end, CIRCIA is about ensuring the country can respond to the growing threats cyberattacks pose to our critical infrastructure. For cyber risk management professionals, that means doing your disaster planning now to be ready when these rules take full effect.

 

This article is shared at no charge and is for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

Views: 16
Tags: tr-24-269-004, circia, cisa, ransomware
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!