| | April 20239CIOReview·Disruption of business or industrial operations·Unauthorized access or disruptions by third parties·Numbers of people impacted, and·WImpacts to industrial control systems.Not only will impacts be reportable, but also ransomware payments, including: · Descriptions of ransomware attacks, including date ranges · Vulnerabilities, tactics, techniques, and procedures used in ransomware attacks · Contact information related to the attackers believed responsible · Information about the company making the payment or on whose behalf it was made · Ransomware amount demand, type of currency, or another commodity requested ·Ransomware payment instructions, including where paymenwas sent, and · The date and amount of payment(s). When Must Covered Entities Report?The rule will require a covered entity to report covered cyber incidents (whether known or based on reasonable belief) within 72 hours and ransomware payments within just 24 hours.Where Does a Covered Entity Report?Reports go to CISA (Cybersecurity and Infrastructure Security Agency) but CIRCIA disallows litigation, and some regulatory claims based on reports if written solely for statutory compliance. CIRCIA grants exemptions from freedom-of-information requests and provides limited attorney/client privileges. Legal guidance here, as with other CIRCIA issues, should come from company counsel, but CIOs should be prepared to discuss what goes in the required reports once the reporting extent is known.What Could the Four W's Mean for Your Business?CIRCIA includes incidents involving industrial control systems.Many CIO's have little to do with company operational technology networks, but usually have some oversight where the demilitarized zone network boundaries meet company operational network systems. Who will be responsible for reporting incidents in that area, should be pre-de ermined.Understanding tactics, techniques, and procedures will almost certainly require logging.Logging is not done automatically on many networks, but it is invaluable when it comes to fighting through a ransomware attack. Reporting vulnerabilities could be embarrassing for a company, such as weak passwords when multi-factor authentication is a widely-accepted improvement over passwords alone. New Company ProceduresCompanies regarded as being within any of the critical infrastructure sectors could be required to implement monitoring and investigate suspicious activity that could lead to discovering reportable incidents. Investing now in tools and procedures that ensure accurate understanding of an attack will not only help compliance, but help protect and defend your networks. It will be a while before CIRCIA's final rulemaking is complete and we know Who will be responsible to report What to Whom, and When. But it will be upon us before we're ready unless we start thinking now. Understanding where your data is stored, how it is transported, how it is protected, and who it is going to outside your IT enterprise will be more vital than ever to ensure reporting readiness under the future enforcement of CIRCIA
< Page 8 | Page 10 >