On March 15, U.S. President Joe Biden signed a $1.5 trillion omnibus spending bill into law, which included innovative provisions that introduce new cyber incident reporting obligations for critical infrastructure owners and operators, such as those in the communications, information technology, energy, and financial services sectors. At a moment when other countries are also pondering if and how to enhance cybersecurity via the implementation of similar incident reporting obligations, the U.S. provides an exemplary approach. The new U.S. requirements integrate many of the recommendations ITI included in our Principles for Cyber Incident Reporting in the U.S. and our Global Cyber Incident Reporting Policy Principles.
Central to the success of these incident reporting regimes is a harmonized approach to ensure efficiency and consistency during these crisis moments for incident responders. The U.S. legislation establishes a new council to coordinate and deconflict federal incident reporting requirements. So as the U.S. government works to streamline incident reporting requirements domestically, it is critically important those obligations are consistent across borders to the extent possible. This will help to improve cybersecurity globally by ensuring that approaches are interoperable, improving efficiencies for incident responders, both in the private sector and in government, who have limited time and resources to combat oftentimes sophisticated threat actors. With that in mind, we encourage global policymakers to consider similar approaches to those taken by the United States, particularly with regard to:
- Enacting an appropriate incident reporting timeframe. The new U.S. cyber incident reporting requirements provide for a 72-hour reporting window “after the covered entity reasonably believes that a covered cybersecurity incident has occurred.” A reasonable timeline that balances government equities and the realities of incident response activities is essential for a number of reasons. First, it allows the impacted entity to determine what has occurred. Oftentimes, companies are not able to immediately ascertain the cause and/or nature of a significant compromise – is it a cyberattack or a network outage or is there some other issue at hand? A 72-hour reporting timeline allows impacted entities to investigate the issue and begin devising an appropriate response. Second, it allows the impacted entity to uphold cybersecurity best practices while investigating the incident, which may take many months. The impacted entity is more likely to be well informed after 72-hours, minimizing the potential for reporting an incident that leaves its customers in a more vulnerable position by exposing information about an incident before a patch is applied or operations are restored. Third, it ensures that resources are allocated appropriately and that the incident is properly contextualized. A shorter reporting timeframe makes it more difficult for the impacted entity to place the technical details and potential impacts of the incident into context, thus potentially resulting in overreporting and inundating competent authorities with reports that do not provide meaningful information. Finally, it aligns with global best practices. Interoperable approaches are key, and this timeframe aligns with the EU’s General Data Protection Regulation (GDPR), the German IT Security Law, as well as approaches taken at the U.S. state level.
- Allowing for supplemental reports to be submitted following initial notification. Investigations of a cyber incident can take many months, if not longer, and additional information is uncovered over time. The recently-enacted U.S. requirements allow for the submission of supplemental reports or updates if new or different information becomes available, allowing the impacted entity to add detail to a report at a later date. ITI encourages other governments to allow for similar updated reports to be submitted following an initial notification.
- Ensuring robust liability protections and sufficient protections for information provided. The U.S. requirements provide robust liability protections for entities, including prohibiting lawsuits from being brought against covered entities solely on the basis of submitting a report, and prohibiting the use of an incident report as evidence against a covered entity. They also prohibit the use of a report in regulatory action directed at the entity and preserves privileges. Including liability protections ensures that entities do not face repercussions from alerting authorities when they suffer an incident.
- Limiting reporting responsibility to the impacted entity. While prior versions of incident reporting legislation left room for third-party services providers to be obligated to report "covered cyber incidents," the final form of the requirements limit reporting obligations to the "covered entities." Limiting reporting responsibility is critical to allow vendors or third-parties to uphold contractual obligations, protect business confidential information, and given many service providers operate globally, will help to avoid international conflicts of law. Limiting responsibility also ensures that competent authorities do not receive duplicative information from both the impacted entity as well as the third-party service provider.
- Providing a vehicle for sustained engagement with critical infrastructure owners and operators. The new requirements direct the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to launch a rulemaking process to further develop definitions of key terms in the legislation, including “covered entity,” “covered incident,” and what information should be included in an incident report. This sort of engagement ensures that the ultimate rules that are put into place reflect the experience and perspective of critical infrastructure owners and operators. It also allows for a robust dialogue to take place between the regulator and those entities that will potentially fall under the regulation.
We encourage global governments to align their approaches with those taken in these key areas. This will ultimately ensure that cyber incident notification results in meaningful, consistent improvements to cybersecurity.