Federal agencies seek to streamline 'hodgepodge' of cyber reporting rules
The law will require companies to report cyber incidents within 72 hours and flag paying a ransom within 24 hours.
(Bloomberg) — The Department of Homeland Security wants Congress and other federal agencies to help it streamline 52 different cyber reporting requirements to protect critical infrastructure and ease regulatory burdens on hacking victims. On Sept. 19, 2023, it released a 107-page report that it hopes will serve as a road map to smooth that process.
More than 30 federal agencies and departments, including the Nuclear Regulatory Commission, Comptroller of the Currency and U.S. Secret Service, have met since June 2022 to hammer out how to reduce regulatory overlap as the federal government grapples with the messy state of cyber reporting rules. They are among members of the Cybersecurity Incident Reporting Council, which was set up as part of a new cyber reporting law passed last year and developed the report recommendations.
“Everybody is desperate for some harmonization and standardization here,” Robert Silvers, DHS’s under secretary for strategy, policy and plans who chairs the council, told Bloomberg News in an interview. “This is a first-of-its-kind effort.”
Federal agencies know well that cyber reporting requirements have become “too much of a patchwork,” Silvers added. There are already 45 existing reporting requirements administered by 22 federal agencies, spanning national and economic security concerns to consumer and privacy protections, according to the report. Seven more requirements are expected, including the reporting law that created the council, and a further five are under consideration, according to the report.
That “hodgepodge” is burdensome on industry and confusing, he said.
The report maps out the existing byzantine set of rules. Among the report’s eight recommendations is a new model form to standardize reporting breaches, which Silvers said any agency could potentially adopt and share. It also suggests making clearer reporting definitions and timelines and creating a single web portal to report an incident.
But there will be limits to eradicating multiple reporting lines.
The law passed last year will eventually require companies to report cyber incidents within 72 hours and flag paying a ransom within 24 hours, providing what Silvers described a “sea change in federal visibility into serious cyber incidents.” Still, time lines will vary.
Some agencies already require notice of reportable cyber incidents “immediately,” “at once,” “promptly” or, in the case of the Department of Energy, within “one hour,” according to the report. The Transportation Security Administration gives 24 hours.
Silvers described the recommendations as “a starting point,” saying things would improve over time.
Secretary of Homeland Security Alejandro Mayorkas said in a statement that he would work with Congress to implement the recommendations, arguing they would provide “needed clarity.”
But the pursuit of clarity has limits too. One of three legislative fixes the council is seeking from Congress is to exempt both mandatory and voluntary cyber incident reporting data from public disclosure under the Freedom of Information Act. Government officials have argued that companies will only feel comfortable reporting what are sometimes embarrassing or damaging breaches if they remain private.
Related:
- Rule hastening disclosure of cyber breaches likely to ignite litigation, insurance headaches
- Cyber claims frequency, severity up in 2023′s first half
- Preserving data privacy in a digital age
Copyright 2024 Bloomberg. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.