| | April 20238CIOReviewIN MY OPINIONA lot of challenges have been thrown at CIOs since the beginning of this decade. It began with the most IT-stressing epidemic in world history-- millions and millions of people trying to work from home at the same time. That was followed in 2021 with a 100%+ increase in ransomware attacks and with ransomware payments rising to a historic record average of $570,000, cyber insurance became more expensive and harder to acquire. Federal cybersecurity and privacy regulations and guidance went into overdrive, with many federal agencies wading deeper into the IT compliance arena. California and other states issued privacy regulations due to Congress' inability to pass a comprehensive privacy bill.All these and other challenges often made it difficult to be proactive with enterprise solutions for corporate systems. With more executives paying attention to cybersecurity headlines, many discussions suddenly focused on how events could affect a company, and less about investments in enterprise solutions needed to keep the company competitive. The good news is that there will be opportunities in 2023 for CIOs to take advantage of the most significant of these events to drive home some security-related enterprise solutions they believe their companies need. That event is the long-awaited federal cybersecurity bill called the Cyber Incident Reporting for Critical Infrastructure Act of 2022, better known as CIRCIA. Enforcement of CIRCIA is subject to new regulations that have not yet been issued, but begins no later than 2025, perhaps next year. It is time to plan investments in cybersecurity architectures, policies, and incident response plans. Understanding where your data is stored, how it is transported, how it is protected, and who it is going to outside your IT enterprise will be more vital than ever to ensure reporting readiness under the new law. Although the full scope of its four W's (who, what, when, where) has not been established, we do know enough to begin preparing: Who Must Report?Businesses designated as "covered entities" must report. These will likely consist of the 16 critical infrastructure sectors defined by Presidential Policy Directive 21. In the private sector, these should include (but are not limited to) chemical, commercial facilities, communications, critical manufacturing, defense industrials, emergency services, energy, financial services, food and agriculture, healthcare, information technology, waste transportation, waste, and wastewater systems. The new regulations will refine this list, but to stay on the safe side, presume your business will be subject to CIRCIA.What Does a Covered Entity Report?Covered entities will be required to report "covered cyber incidents" and ransom payments made to resolve ransomware attacks. What comprises a covered cyber incident is not yet fully clear, but indications are it will include negatively impactful events: ·Substantial loss to confidentiality, integrity, and availability of information systems, or serious impact to safety and resiliency of operational systemsCIRCIA'S LOOMING IMPACT ON NETWORK SYSTEMS By Gene Forrest Price, Partner, Attorney, Member of the Firm, Frost Brown Todd Gene Forrest Price
< Page 7 | Page 9 >