Four key areas worth clarifying in CIRCIA reporting requirements

Many of the CISOs I have spoken to have deep concerns about the reporting requirements mandated by the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law over two years ago. And with over 12,500 cybersecurity and IT risk professionals, my organization is on the front lines of parsing these rules and fielding client questions about them.

Cybersecurity is undoubtedly one of the most important topics facing our nation. It is the No.1 or No. 2 topic on the agenda of every public company’s board of directors because it affects their business operations, our national security, our economic security, and public health and safety. Unfortunately, this CIRCIA reporting requirement, if implemented as written, can create even more complications for those in charge of cybersecurity incidents and for those who have a fiduciary responsibility on compliance.?

Because of that, we have issued our own comments to the Cybersecurity and Infrastructure Security Agency (CISA) based on our observations, and I have outlined them below for your consideration. It is important to note that we also face another sort of risk when reporting requirements are too generalized or loosely defined to effectively implement, or when thresholds are so unclear that they trigger a glut of reporting that isn’t useful, which is the cost of time to report vs. remediation if there is an active cyber event that requires response. Additionally, some sectors may face conflicting requirements across reporting regimes as well. Finding the right balance is tricky.

There are four areas worth focusing on as the rules are refined:

1. Harmonization and duplication

On its own, containing an active cyber situation can strain organizations. On top of that, they may face multiple incident reporting requirements, with a deadline of revealing the incident within 72 hours, in the case of CIRCIA. We recommend designating CISA as the single US government entity to intake these reports and then disseminate them to other federal and non-federal groups as warranted, shifting the burden away from those confronting the most crucial initial days and weeks of response to a cyber event. The process for harmonization, deconfliction and coordination can be automated, with incidents in certain sectors immediately forwarded to the appropriate agencies and regulators.

2. Definitions and applicability

Organizations may struggle with knowing whether sector-based criteria will apply to them. Certain categories are broad, including “IT Entities,” “Critical Manufacturing,” “Wire or Radio Communication Services” and “Operationally Critical Support to Department of Defense.” We suggest that informational sessions be conducted at the state and local levels to help with transparency of the requirement. We also believe that sector-based organizations or industry trade groups should help answer questions through their memberships engaging with CISA for clarification. We also suggest that CISA personnel engage with potential covered entities in the working sessions.??

Additionally, we suggest better clarity around what constitutes a “substantial incident.” Opinions about the potential impact or severity of an incident can diverge within an organization, as well as among external parties. And they can diverge within sectors as well: Company A might have a materiality or “substantial incident” threshold of $1 billion in losses while Company B’s is $100 million, although they operate in the same industry. We believe that a standardized, framework-based approach would be invaluable for classifying incidents and establishing what falls above and below “substantial incident.” (The National Cyber Incident Scoring System and Cyber Incident Severity Schema can be leveraged.)

3. Required reporting and content of reports

The immediate impact of a cyber event can be very hard to determine. It often takes up to a week to realize the extent of the impact. But, as outlined in § 226.8, organizations have 72 hours to issue their reports, in a significant level of detail. Because the incident response is generally still underway in the first 72 hours, the requested information may not be available, and organizations risk overstating or understating the impact of the event. We recommend reducing the level of detail or considering extending the deadline to 96 hours, which aligns with the SEC’s cyber disclosure rule and other regulations.

To reduce the time required to complete report, a secure web-based intake questionnaire could be introduced, and it could also help validate that an incident merits the “substantial” designation based on a score. Organizations could address a common set of categories and coinciding questionnaires, consisting of binary and multiple-choice questions, based on incident type. If affirmed as substantial, the initial incident report should minimize free text entry to the extent possible, with subsequent information provided later as findings are established.

4. Preservation requirements

CISA also proposes retaining certain types of data in the wake of a cyber event, raising another question: are the requirements focused only on the fact-based findings of the forensic investigation or also on matters of the management’s opinion, hypotheses or other considerations? We recommend removing any such mandates related to threat actor tactics, techniques or procedures that might have led to the compromise but were not directly supported by the findings of the investigation. Additionally, many investigations can fall under privilege given the impacted entity may contract outside counsel to assist with the investigation. It is not clear if CISA’s requirement can complicate this process.

In such a complex topic as cybersecurity, debate is essential — and so is clarity. Many of us can also cite problems with the status quo that these new rules will help to address. As ever, I encourage you to make your views known to CISA, if you haven’t already, so that we can move forward with confidence.

The views reflected in this article are those of the author and do not necessarily reflect the views of Ernst & Young LLP or other members of the global EY organization.