This week's bulletin covers the new Cyber Security laws in America, how these incidents should be reported, and the organisations which could face the worst impact of a cyber security incident.
I have been looking through the BCT Certificate in Cyber Incident Management course materials, as I am going to have a discussion with Eamonn Keane who is delivering the next course. In the course, we use the Equifax hack from 2017 as a case study. One of the interesting parts of their response was that they waited 42 days before informing those who had their data breached and publicly admitted that a cyber incident had occurred. In the course, we contrast this with the UK's GDPR regulations which require organisations to inform the Information Commissioner's Office and those affected by the breach, within 72 hours. As I get cyber incident alerts every day, I have noticed that there have been new regulations in the USA on reporting cyber incidents, but until now I haven’t read into what they actually are. So I thought I would do some research and this is what I have learned so far.
State Data Breach Notification Laws
In 50 American states, plus the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, there are individual federal Data Breach Notification Laws which require immediate notification of those whose data has been compromised. If the data was encrypted, then notification is not required. In different states, there are different levels of breaches, between 500-1000 individuals' information, which need to be reported to the state Attorney General. In some states, the law permits delayed notification "if a law enforcement agency determines that it would impede a criminal investigation”. The first state to have this type of law was California in 2003 and all states have, on the whole, followed the basic tenets of their law. Presumably, as law enforcement was involved in the Equifax cyber incident, they could use this as a reason not to inform those whose data had been breached.
Cyber Incident Reporting for Critical Infrastructure Act
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was the first federal cyber breach notification act which was signed into law on the 1st of March 2022, by President Biden. The Act itself does not define the notification requirements, but requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring certain designated organisations to report cyber incidents and ransomware payments to the CISA. At present, the exact requirements are being developed and CISA is running a number of public listening sessions. From the signing of the Act in March 2022 it is likely that it will take between 18-24 months before the requirements have to be complied with.
Public listening session will focus on the following definition of terms:
- Covered entity
- Covered cyber incident
- Substantial cyber incident
- Ransom payment
- Supply chain compromise
The sessions are also looking for details on:
- What constitutes a “reasonable belief” that a covered cyber incident has occurred
- How reports on covered cyber incidents and ransom payments should be transmitted to CISA
- How the 24-hour post-ransom payment timeframe should be measured
- How third-party entities can be engaged to submit required reports on behalf of covered entities
From my reading these are the likely requirements of the Act:
- Substantial cyber incidents, that need to be reported, that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health, and safety of the people of the United States, as determined by the Secretary of the Department of Homeland Security.
- The bill will only affect organisations that provide critical national infrastructure in the USA. They are likely to be the 16 critical infrastructure sectors whose “assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof”.
The sectors are:
- Emergency services
- Financial services
- Government facilities
- Information technology
- Commercial facilitates
- Critical manufacturing
- Defence industrial base
- Food and agricultural
- Healthcare and public health
- Nuclear reactors, material and waste
- Water and wastewater systems
3. The impacted entities will be required to report a cyber incident within 72 hours to the CISA.
4. If an organisation providing critical infrastructure pays the ransom this must be reported within 24 hours of the payment.
5. The reporting to the CISA will not be a one-off reporting, as the bill sets out that supplemental reports must be provided when substantial new or different information becomes available, until the entity notifies CISA that the incident has concluded and been fully mitigated and resolved.
6. A final requirement of the bill states that entities covered “shall preserve data relevant to the covered cyber incident or ransom payment”. Exactly what ‘relevant data’ means is yet to be determined within the legislation, but is likely to include log files, network traffic, and preservation of any impacted host or server in the state it was in at the time of the incident.
This seems like a step forward, but when compared with our own GDPR rules, then this law only applies to critical infrastructure, so there will be a huge number of organisations not covered by the law. This is more about reporting to the CISA and for them gathering data to be able to stop or deal with later attacks rather than protecting those whose data has been breached. I haven’t seen anything which covers any penalties for failure to report an applicable cyber incident.
U.S. Securities and Exchange Commission (SEC) Proposed Rules
The SEC has published proposed rules to enhance and standardise disclosures regarding cybersecurity risk management, strategy, governance, and cyber security incident reporting by public companies. They have proposed amending Form 8-K which is used to inform invested-in US listed companies of events which may be of importance to shareholders or the SEC. The new requirement is for the company to inform the SEC within 4 business days after the company has experienced a material security incident. This is different to other notifications, such as GDPR, in that the company has four days from finding the incident material rather than from when it was discovered.
The SEC does not define a new standard for materiality in the proposed rules for cyber security incidents, but rather indicates that companies should assess “materiality” based on historical case law. The SEC also stated that companies “need to thoroughly and objectively evaluate the total mix of information, taking into consideration all relevant facts and circumstances surrounding the cybersecurity incident, including both quantitative and qualitative factors, to determine whether the incident is material”. The SEC also notes specifically in the proposed rules that an ongoing investigation (whether internal or external, including by law enforcement) does not justify a reporting delay of a cyber security incident that is material.
The following information would have to be supplied to the SEC:
- When the incident was discovered and whether it is ongoing
- A brief description of the nature and scope of the incident
- Whether any data was stolen, altered, accessed, or used for any other unauthorised purpose
- The effect of the incident on the company's operations
- Whether the company has remediated or is currently remediating the incident.
Federal Bank Regulators
On November 23, 2021, the federal banking agencies published a final rule (the Rule) that imposes new notification requirements on banking organisations and bank service providers, following significant cyber security incidents. Under the Rule, certain banking organisations are obligated to notify their primary federal regulator promptly, and not later than 36 hours, after the discovery of a “computer-security incident” that rises to the level of a “notification incident”.
The reporting requirement is for an organisation covered by The Rule that has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The time is short so that the agencies are in a position to more quickly and effectively understand the potential impact of an incident, as well as the actions that may be required to protect affected organisations and avert systemic problems. The Rule applies from 1 May 2022.
A “computer-security incident” is defined under the Rule as an event that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
A “notification incident” is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organisation’s:
- Ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business
- Business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value
- Operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States
The more I read, the more I found new regulations which I felt should be included. As far as I believe these three later regulations are the only federal regulations covering the reporting of cyber incidents for the whole of the USA. The Cyber Incident Reporting for Critical Infrastructure Act and the U.S. Securities and Exchange Commission (SEC) proposed rules are still to be finalised, but the Federal Banking regulations are already in place. As there is a myriad of industry, as well as state reporting requirements, if your organisation is carrying out business in the states as part of your cyber incident playbook, you need to have the details of a firm of lawyers who can check that you have complied with the required regulations.
The following sources were used to provide information for this bulletin.