There are new governmental regulations to be aware of in case your enterprise suffers a cyber incident.
The Strengthening American Cybersecurity Act, which was signed into law by President Joe Biden on March 15, puts into place a $1.5 billion government funding bill to help with virtual reporting measures. These new cybersecurity guidelines stemming from the law will force businesses to report if they are affected by hacking and ransomware payments. This new law aims to continue the Biden administration’s effort to make both the public and private sectors better defended online.
The act, composed of three separate bills, requires critical infrastructure organizations to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a substantial cyberattack. In addition, the organizations making ransomware payments would be required to report an incident to the CISA within 24 hours. In addition, any businesses who do not report attacks may be subpoenaed by CISA. The CISA will have up to two years to publish a notice in the Federal Register for suggestions on ways to put the new law into action.
“With the SEC, FDIC, and the U.S. government all proposing or passing cybersecurity incident reporting requirements, there’s a clear trend and focus on the value of rapid disclosure,” said Tim Erlin, vice president of strategy at Tripwire. “Tight timeframes for reporting incidents will drive increased visibility into incidents as they are occurring, but we should all be prepared for the inevitable disappointment in how little we know about an incident in the first 36, 48, or 72 hours. The emphasis on timely reporting should be coupled with requirements on completeness of investigations. If we want greater transparency into incidents, we need both faster and better reporting.”
SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)
The move towards cloud-based technologies was another focus of new law after several ransomware attacks, as the act attempts to streamline critical infrastructure operators and the government’s response to cyber attacks moving forward.
The industries most affected by the passing of this law are expected to be:
- Commercial facilities (hotels, arenas, convention centers, commercial real estate)
- Critical manufacturing (machinery, electrical equipment, transportation equipment)
- Defense industrial bases
- Emergency services
- Financial services
- Food & agriculture
- Information technology
- Nuclear reactors
- Water and wastewater systems
How does this affect businesses?
Just one example of an industry that may be affected by the passing of this bill are businesses within the energy market. These enterprises have already seen the potential effects of being hacked when looking at the Colonial Pipeline attack last May. In that instance, a malicious group’s ransomware forced the extortion of cryptocurrency in exchange for returning control of the pipeline back to the Colonial Pipeline Company, but not before the company had to pay the ransom of $4.4 million.
Another factor is businesses further down the supply chain and not solely the enterprises themselves suffering the attack. Much like with the Colonial Pipeline hack, it was not just the pipeline and its company feeling the effects. Stemming from that raid on the pipeline itself, businesses further down the supply chain like gas stations and airports started being affected by the lack of oil from the pipeline itself.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Another aspect that must be considered for businesses is what constitutes a “substantial” cyberattack as outlined in the act. With a more robust reporting process, there will be an increase in the number of cyberattacks reported by the media, says Paul Furtado, senior research director at Gartner.
“The bill applies to federal civilian agencies and industries deemed to be critical infrastructure. Critical infrastructure industries make up a large percentage of the US economy,” said Furtado. “The bill impacts these organizations regardless of size or revenue. Once the bill is passed into law we may see a surge of ransomware incidents reported in the media. People need to understand that the wave of new reports doesn’t mean we are under a greater volume of attacks, but rather will highlight the fact of how many of these attacks historically have gone unreported.”
To assist with combatting this, Furtado says that enhancing the scale and detail of reactions to attacks to meet the new governmental requirements will be key, along with intense monitoring of systems to prevent potential and future attacks.
“CIOs and security leaders will need to update existing incident response plans to reflect the new reporting requirements,” Furtado said. “Additionally, executive management needs to be educated on the new legislation and the impact to the business should they be the victim of a ransomware attack. Outside of the additional regulatory notification requirements, companies should continue to implement [constant] security monitoring and preventative tools to mitigate the risk of ransomware taking hold in their organization.”
With many different industries under the potential umbrella of this new bill, many organizations will want to increase not only their security protocols to prevent attacks, but also their reporting systems to fall into compliance with the bill.