TLDR:
- The new CISA incident reporting draft rule would mandate critical infrastructure entities to disclose cyber incidents and ransomware attacks within a 72- and 24-hour period, respectively.
- Trade groups and lawmakers argue that the draft rule increases burdens on smaller organizations and on CISA itself.
In a recent report by CyberScoop, the Cybersecurity and Infrastructure Security Agency’s (CISA) draft rule for incident reporting has been met with criticism from trade groups and lawmakers. The rule would require critical infrastructure entities to disclose cyber incidents within 72 hours and ransomware attacks within 24 hours. While the rule aims to bolster cyber awareness, concerns have been raised about the potential burdens it could place on smaller organizations and on CISA.
During a hearing of the House Homeland Security’s cybersecurity subcommittee, groups suggested that the more extensive requirements of the draft rule should be aligned with existing reporting regulations. Rep. Eric Swalwell emphasized the need to ensure that the rules do not unfairly burden small and medium-sized businesses that may not be relevant to the incident reporting requirements.
Bank Policy Insititute’s Heather Hogsett raised concerns about the potential overwhelming volumes of reports that could result from the new rule and Edison Electric Institute’s Scott Aaronson pointed out the data security challenges faced by CISA, especially in light of recent attacks against the agency.