In a move to strengthen cybersecurity defenses against threats, the Biden administration signed the Cyber Incident Reporting for Critical Infrastructure Act into law on March 15, 2022.

In short, this act encourages full transparency from a business on the cybersecurity front in what can be seen as a united stand against cyberthreats, especially as tensions with Russia escalate.

What is the Cyber Incident Reporting for Critical Infrastructure Act of 2022?

This new cybersecurity law makes it compulsory for organizations to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The act states that all cyberattacks should be reported within 72 hours, and that any ransomware payments should be reported within 24 hours.

The act requires reporting from 16 critical infrastructure sectors that are considered so vital that any threat or destruction impacting them would have a serious effect on national economic security and public health. The sectors include government facilities, IT, healthcare, energy, and transportation, to name a few.

What would be classed as a cyber incident?

While the CISA is yet to provide a clear definition of what falls under the covered cybersecurity incidents, it is safe to assume that any incident that disrupts businesses or industrial operations, includes unauthorized access, or has a serious impact on the safety and resiliency of operational systems can be considered a cybersecurity incident.

What does this mean for businesses?

What's important to note is that in addition to incident reporting, the act gives the CISA power to subpoena any business that does not report a cybersecurity incident or ransomware payment. This means that companies need to prioritize their security infrastructure and strengthen their cyberdefenses to mitigate the risk of an attack.

So what can one expect from this act, and what does it mean for companies? Let's dive in!

1. Centralized repository of information

What this law brings to the table is increased visibility and actionable insight into major cyberattacks to prepare effective defense strategies. Previously, the important details about cyberattacks weren't reported by many companies, mostly because they were at risk of sensitive information being shared. This, of course, used to work in favor of the attackers because the less companies know about different attacks, the more vulnerable they are.

With the mandated reporting of all threats, attacks, and ransomware payments, the CISA will have the ability to build a centralized repository of all this information. This means that the FBI and the Department of Justice will be able to use this wealth of knowledge to help businesses come up with a defense strategy against similar attacks.

2. Heightened security infrastructure

The purpose of this act is to strengthen an organization's defense against cyberthreats to minimize the risk of data breaches. This forces the 16 critical infrastructure sectors mentioned previously, and other private sectors, to take a deep dive into their security posture.

The White House released a memo detailing what businesses can do to counter the threat of cyberattacks, sharing the following best practices.

  • Enable multi-factor authentication to ensure authorized access, as passwords are routinely compromised.
  • Establish endpoint detection and response to mitigate malicious activity.
  • Encrypt data so it cannot be exploited.
  • Have a skilled, empowered security team in place.

3. Continuous reporting

Under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, companies must report all new information pertaining to an incident until the incident is fully resolved. The cyber incident reporting requirements include a short time frame to report the incident and the findings, so it's imperative that companies review their security posture and ensure they have the right tools in place for effective, continuous reporting.

Following the rapid increase in cloud usage, the growing number of data breaches was alarming to users and companies alike. Regulatory bodies have introduced more privacy laws such as the General Data Protection Regulation and the California Consumer Privacy Act to ensure user and enterprise data is protected.

Seeing as how user and enterprise data is a valuable asset to a business, ensuring that a good security strategy is implemented to protect this data has become a key component of business operations. Furthermore, with the implementation of various cybersecurity regulations, businesses are expected to comply with these laws in order to protect themselves from internal or external data corruption and from the massive fines that can be imposed if they are found not compliant with regulations.

Most data privacy and security regulations require continuous logging and monitoring for timely threat detection and data protection. Companies therefore invest in a unified SIEM solution to protect their sensitive data and provide proof of doing so to meet their compliance requirements.

Get the latest content delivered
right to your inbox!

Thank you for subscribing.

You will receive regular updates on the latest news on cybersecurity.

  • Please enter a business email id
    By clicking on Keep me Updated you agree to processing of personal data according to the Privacy Policy.

Expert Talks


© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.