A group of 17 tech-sector and other trade groups urged House and Senate leaders in an August 27 letter to consider a 72-hour reporting requirement for cyber incident breach reporting in any legislation that they may consider on the issue.
The trade group’s bid for a 72-hour reporting window contrasts with the 24-hour cyber incident reporting window contained in Senate legislation introduced in July.
The Cyber Incident Notification Act of 2021 was introduced by Sens. Mark Warner, D-Va., Marco Rubio, R-Fla., and Susan Collins, R-Maine, following this year’s spate of cyber attacks, including a supply chain-driven attack against IT management firm SolarWinds, and a ransomware attack on Colonial Pipeline.
In its letter to lawmakers including Sens. Warner, Rubio, and Gary Peters, D-Mich., who chairs the Senate Homeland Security and Governmental Affairs Committee, the trade groups including The Information Technology Industry Council and the Internet Association pushed back against the shorter reporting window and suggested reporting requirements of “no less than” 72 hours.
“Cybersecurity incidents are crisis moments for victim organizations,” the groups said. “To ensure that the Cybersecurity and Infrastructure Security Agency (CISA) and its interagency partners receive actionable information on truly significant incidents, it is essential to give incident responders time to evaluate the intrusion to determine its impact.”
“Shorter timelines also greatly increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts,” the tech and trade groups said. “A formal report on a verified, significant incident should not preclude less-fulsome notifications to CISA on a more flexible timeline.”
The groups also asked lawmakers to consider, “at a minimum,” four other principles as they consider the legislation:
- Limiting incident reporting regulations to “verified incidents and intrusions” rather than “potential incidents or near misses”;
- Limiting reporting obligations to “victim” organizations, rather than third-party vendors or providers;
- Harmonizing Federal cybersecurity incident reporting requirements; and
- Ensuring confidentiality and nondisclosure of incident information provided to the government.
“Our industries recognize the value of public-private collaboration facilitated by mutual sharing of actionable information on significant cybersecurity incidents and intrusions with federal agencies,” the groups said.
“Incident Reporting legislation pending in Congress, when harmonized with the requirements of Section 2 of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, have the potential to improve the nation’s cybersecurity posture if appropriately developed and implemented,” they said.