Top US Cyber Agency Pushing Toward First Hack Reporting Rule

p Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 pp Connecting decision makers to a dynamic network of information people and ideas Bloomberg quickly and accurately delivers business and financial information news and insight around the world ppAmericas1 212 318 2000 ppEMEA44 20 7330 7500 ppAsia Pacific65 6212 1000 ppBy Skye WitleyppA new US notification requirement for victims of malicious hacks could push inhouse counsel to disclose cyberattacks when faced with ransomware and other network compromises Among the firstever cyber regulations to be enforced by the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency the top US cyber authority the proposed rules would require companies in 16 critical infrastructure sectorsincluding healthcare energy and financeto report security incidents within three days and ransomware payments in 24 hours ppCISAs proposed rule is part of a US effort to shore up defenses against the increasingly disruptive attacks of cyber criminals and nationbacked hacking groups while simultaneously streamlining overlapping and inconsistent breachnotification reporting requirements across sectors The rule would nudge companies toward new hiring and staff retraining and push general counsel toward more active cybersecurity responsibilitiesppThe Biden administration set December 2025 as the deadline for the final rule which was mandated in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ppOne glaring challenge has been our cyber incident reporting system which has recently been revealed as a bureaucratic maze said Jackie Singh a consultant who was a senior cybersecurity staffer in the Biden campaign With over 50 disparate reporting channels scattered across numerous government entities this broken system represents a potential Achilles heel Agility is key to withstand cyber threats in a resilient manner convoluted reporting structures dont fit into what we commonly think of as agileppCompanies only compound cyber threats when they delay reporting information that could protect other companies or national security Singh said ppThe agencys new rule is designed to encourage greater visibility into cyber incidents with security implications beyond a single company so information submitted in the breach reports is guaranteed certain protections ppChief among those local state and federal governments cant use the information in the reports to regulate a company providing notice unless CISA believes it is witholding incident information in that case the agency can subpoena the company and subject it to daily monetary fines If the rule is approved company reports may also receive attorneyclient privileges and be exempted from the Freedom of Information ActppppMany of the existing 52 enacted or proposed federal cybersecurity breach reporting requirements are sectorspecific making CISAs approach markedly different as it positions itself as an industryfriendly agency said Justin Herring a partner at Mayer Brown LLP and former cybersecurity regulator with the New York State Department of Financial ServicesppAt least with respect to notification and the requirements to reporting this will be the most crossindustry rule that I can think of definitely at the federal level and that will give them an opportunity to create rules like this for industries that dont have a close regulator said Herring But CISAs powers as a regulator arent fully fleshed out he said because it cant yet prescribe security measures instead relying on enforcement referrals to the Department of Justice ppThis may be the first baby step towards CISA taking on those kinds of regulatory powers Herring said ppThe cybersecurity agency is expected to request more technically detailed disclosures than most federal agencies given its posture as a clearinghouse for timely incident information and resources said Nick Sanna president of the FAIR Institute which created an economicbased cyber risk analysis frameworkppCISAs motive is more to help protect the company and they play a real role in terms of information sharing of what threats are most prevalent right now Sanna saidppAt the same time the agency should be wary of requesting so much information that it enables other companies or threat actors to identify the initial victim from CISAs warnings he added ppThe law mandating CISAs rule development doesnt focus on requirements for specific critical infrastructure sectors but instead appears most targeted on combating ransomware attacks said Ben Miller vice president of services at Dragos Inc a cybersecurity firm that focuses on industrial controls systems that manage machines and manufacturingppThey definitely dont have their arms around the volume of activity thats going on within the sectors as it relates to ransomware I think its much larger than we feel at times and there are impacts into the OT and critical infrastructure environments Miller said referring to operational technology networks where machines connect to other machinesppIn response to interview requests with CISA officials the agency pointed Bloomberg Law to a March update from Executive Director Brandon Wales detailing feedback it received from the public and explaining that increased reporting will enable the agency to spot trends in realtime and fill critical information gaps ppCISAs menu of security remedies is complicated by the conflicting interests of victims and their industry peers who could be next on an attackers list While victims may hesitate to disclose explicit details of a security compromise CISOs managing their own networks want all of the details they can get to bolster defenses said Bob Olsen the global head of cybersecurity and privacy at the consulting firm Ankura ppSo far regulators are siding with attack victims but agencies like CISA or law enforcement could better standardize what incident information gets shared with the public he said CISA recently launched a warning system to flag common ransomware vulnerabilities and built an interagency task force to coordinate ransomware defensesppAfter serving as a CISO in several critical infrastructure sectors Olsen is clamoring for more information from the agency He recalled scenarios in which he was alerted by an agency that his sector was being actively targeted by threat actors but given no further detailsppTheyre sort of presupposing what information would be helpful for me to then go take action to be proactive but it isnt always the case Olsen said Consistently receiving indicators of compromisesuch as malicious email accounts or internet addressesfor example would be helpful because it allows companies to preemptively block network activity from accounts hackers may be using he said ppCISA is developing its first regulation while the Biden administration is also assessing how to best reduce duplicative reporting requirements and standardize cybersecurity terminology A comprehensive look at that approach came in a Sept 19 DHS report centered on cyber harmonization listing eight recommendations for federal agencies ppIn a statement released alongside the report CISA Director Jen Easterly said the recommendations and input sent directly to the agency would help inform the proposed rule The recommendations included a template incident reporting form standardized definition of a cyber incident and model timelines for reporting breaches Federal agencies should assess the viability of establishing a single online incident reporting portal rather than each maintaining their own the report suggested It said agencies should clarify which data fields are essential and which may be withheld at least temporarily ppThe report also acknowledged the challenge of harmonizing reporting requirements across 33 federal departments and agencies given diverging and overlapping requirements Duplicative reporting can impede a victims ability to best focus resources on mitigating a security breach and inconsistencies in how agencies collect incident data can make it harder for the government to elucidate trends the report found But the longer the agency takes to finalize the requirements the longer the list of cybersecurity breach victims becomes said Joshua Corman former chief strategist of CISAs Covid task forceppFor something born out of a sense of urgency this slow and methodical process lacks that urgency for something that shouldnt be very complicated carries no penalties and only exists to enable the government to do its job Corman saidppTo contact the reporter on this story Skye Witley at switleybloombergindustrycomppTo contact the editor responsible for this story Kartikay Mehrotra at kmehrotrabloombergindustrycompp AIpowered legal analytics workflow tools and premium legal business news pp Log in to keep reading or access research tools p