Failing to Report Cybersecurity Incidents: Fines Coming?
Should the federal government fine organizations, possibly including MSSPs and their customers, for failing to report cybersecurity incidents?
The top three U.S. cybersecurity officials apparently think so. But exactly what sort of penalty may emerge has yet to take shape. In a hearing of the Senate Homeland Security and Governmental Affairs Committee last week, Jen Easterly, who directs the Cybersecurity and Infrastructure Security Agency (CISA); Chris Inglis, the National Cyber Director; and, Federal Chief Information Security Officer Chrisopher DeRusha all endorsed the federal government enforcing incident reporting requirements with fines. (via The Hill)
While fines are among the penalties lawmakers and security officials are considering for skirting cyber incident reporting requirements so is subpoena power. “My personal view is, [subpoena authority] is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines,” Easterly said, as The Hill reported. Providing timely threat information to other organizations at risk from cyber attacks is “absolutely critical to help us raise the baseline and protect the cyber ecosystem,” she reportedly said.
DeRusha and Inglis also backed some level of enforcement to urge cyber incident reporting to the federal government. Many U.S. states already have reporting requirements in place and “enforcement mechanisms,” said Inglis. “We of course don’t want to impose an unfair burden on the victims, but this information is essential for the welfare of the whole,” he said.
Familiar Theme: Penalties for Failed Cyberattack Disclosures
At their nomination hearings both Easterly and Inglis made it clear that they support imposing minimum reporting standards on critical infrastructure outfits and private companies to notify the federal government of cyber incidents. A mandate of that sort would include MSSPs and their customers. There is no such reporting requirement right now on any type of entity at the federal level.
Also at issue is the amount of time government agencies, critical infrastructure operators and contractors, including MSSPs, should have to report a breach to federal security authorities without potentially incurring fines. Pending U.S. legislation is focused on a 24-hour breach disclosure policy but a new draft bill extending the breach disclosure deadline to three days has gained traction among private industry and technologists. The updated bill would allow companies suffering a security breach the often needed time to assess the incident before reporting it to the CISA.
A law mandating organizations report cyber incidents to the federal government is not only gaining steam from top cyber officials but also from lawmakers. Any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.
Senate Homeland Security and Governmental Affairs Committee Gary Peters (D-MI) and ranking member Rob Portman (R-OH) are drafting legislation that would require critical infrastructure companies to share details with the CISA if/when the infrastructure companies make ransomware payments, Peters said. “This requirement will ensure CISA and other federal officials have better situational awareness of ongoing cybersecurity threats, who those targets are, how the adversary is operating, and how best to protect the nation,” he said.
Last May, Senator Mark Warner (D-VA) advocated for new legislation that would require private sector companies to report cyber attacks to the federal government. And, a month earlier, top U.S. intelligence officials pressed Congress to propose measures to require private industry to share security breach information and other threat information to the federal government.