Reporting Cyber Incidents Within 72 Hours: Challenges AheadStanley Mierzwa of Kean University on Upcoming Reporting Requirements
Many critical infrastructure sector organizations, especially smaller entities, will likely struggle to comply with an upcoming requirement to report cyber incidents to federal regulators within 72 hours - due to an assortment of reasons, said Stanley Mierzwa of Kean University.
Many entities in the healthcare sector already appear to have difficulty complying with requirements to report major HIPAA breaches to the Department of Health and Human Services within 60 days.
So, a provision under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, that calls for entities to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency in under three days will be a challenge for many organizations that will fall under the new requirements, Mierzwa said.
CIRCIA requires that CISA publish a draft notice of proposed rule-making before the end of March 2024, at which time covered entities will get more insight into the reporting requirement details.
President Joe Biden's National Cybersecurity Strategy Implementation Plan released on July 13 sets a deadline for the fourth quarter of fiscal 2025 for completion in implementing CIRCIA.
"The private sector, which could include smaller outfits, may struggle with this. They may not be able to know exactly what has transpired with an attack" within the reporting deadline, Mierzwa said.
In this interview (see audio link below photo), Mierzwa discussed:
- Top breach-reporting difficulties many organization face;
- Other potential challenges involving CIRCIA;
- Dilemmas involving the decision to pay - or not pay - ransoms to cyberattackers.
Mierzwa is the director of the Center for Cybersecurity at Kean University in Union, New Jersey, where he also lectures on foundations in cybersecurity and cyber risk management. Previously, Mierzwa headed application security at New York's Metropolitan Transportation Authority Police. Prior to that, he served as director of IT at the Population Council. His writing appears in over a dozen publications, and he is a peer reviewer for the Online Journal of Public Health Informatics.