20 Oct, 2022

Conflicting US regulations on cyber reporting harms preparedness, panelists say

SNL Image

A proposed rulemaking would require operators of critical infrastructure, like the natural gas pipeline shown above, to report cyber incidents within 72 hours.
Source: Ed Lallo/iStock/Getty Images Plus via Getty Images

Differences between state and federal reporting requirements threaten to confuse or slow down cyber preparedness and recovery efforts of U.S. organizations, according to panelists at a recent cybersecurity conference in Washington, D.C.

Two federal agencies are proposing new deadlines on reporting requirements. The Cybersecurity and Infrastructure Security Agency is working on a rulemaking requiring critical infrastructure companies to report incidents to stakeholders within 72 hours. Meanwhile, a proposed Securities and Exchange Commission rulemaking sets a slightly longer deadline, requiring publicly traded companies to report incidents within four days.

Both of those times frames are much shorter than the 30-plus-day window required under various state laws, said Brittany Bacon, a partner at Hunton Andrews Kurth LLP's cybersecurity and privacy practice, speaking at Mandiant Inc.'s mWISE conference Oct. 18. The proposed three- or four-day deadlines are also potentially unrealistic expectations for private sector companies, Bacon said.

Preparing for attacks on critical infrastructure means consulting with in-house counsel, company board members, and private cybersecurity vendors as well as cybersecurity insurance providers before an incident occurs, panelists said. The different reporting requirements make preparation and response protocols more complicated.

"What we don't want is in the middle of an incident to be overwhelmed by the administrative part of reporting [an attack] while we're trying to recover from it," said Anthony Souza, CenterPoint Energy Inc.'s director of cybersecurity and enterprise architecture.

To mitigate risks, organizations, especially critical infrastructure, must understand what critical components could be exposed to attacks and engage with regulators for guidance, panelists said.

David Wong, Mandiant's vice president of consulting, suggested tabletop exercises, where organizations shut down systems to simulate cyberattacks and practice recovery procedures, as another method to prepare.

Souza from CenterPoint would like to see more resources devoted to the space.

"Critical infrastructure impacts all of us, it's something we take for granted," Souza said. "And there's never enough people to work on it."