Locks and Security News: your weekly locks and security industry newsletter
30th October 2024 Issue no. 727
Your industry news - first
We strongly recommend viewing Locks and Security News full size in your web browser. Click our masthead above to visit our website version.
Comment: Is the CISA's new cyber incident reporting rule too excessive?
The Cybersecurity and Infrastructure Security Agency's cyber incident reporting draft rule is facing significant pushback from trade groups and lawmakers.
The rule would mandate critical infrastructure entities to make cyber incident and ransomware disclosures within a 72- and 24-hour period, respectively, but has been reported by many as going too far.
Dr Ilia Kolochenko, CEO at ImmuniWeb and Adjunct Professor of Cybersecurity at Capital Technology University, commented:
“The proposed CISA incident reporting rule, when applied to critical national infostructure (CNI) entities, does not appear to be excessive or disproportionally burdensome. 72 hours is a reasonable timeframe – for a CNI – to file a first report about an incident.
Moreover, in some cases like purposely destructive cyber-attacks backed by foreign nation states, the effect of such attack on a CNI is so tangible that it can make national news headlines within minutes. To compare, in India, many companies – not just CNIs – are now required to notify Indian CERT (CERT-In) within 6 hours after detecting an incident. Likewise, many data protection laws around the globe have similar 72-hour deadlines for incident reporting.
Having said this, the pivotal question here is whether CISA has sufficient resources to adequately and timely review and respond to the avalanche of incident reports. Piling up the reports to gather dust on CISA’s bookshelves will bring from little to no value, moreover, it will waste already limited CISA’s human and operations resources that could be better invested. So, the key question is what happens once a report is filed and what CISA can do to minimize harm, prevent future attacks, or help apprehend the attackers.”
More on the story here: https://www.scmagazine.com/brief/new-cisa-incident-reporting-draft-rule-deemed-excessive
15th May 2024