In the wake of the Russian invasion of Ukraine, the federal government is using every tool possible to deter and disrupt retaliatory cyberattacks against critical national infrastructure.
One such tool is the Strengthening American Cybersecurity Act, which the U.S. Senate passed unanimously on March 1, 2022.
The sweeping legislation establishes minimum reporting requirements that would require critical infrastructure entities and federal civilian agencies to report any “substantial cyber incident” (regardless of whether data was breached) to the Cybersecurity and Infrastructure Agency (CISA) within 72 hours and any ransomware payment within 24 hours.
CISA’s definition of critical infrastructure providers is broad and includes the energy sector, financial services, commercial facilities, information technology, healthcare, transportation, chemical manufacturing, the defense industrial base, emergency services, and more.
The Act gives CISA the ability to subpoena any of these entities for a failure to report cyber incidents.
In this blog, we assess how organizations can prepare to comply with the Act’s reporting requirements and recommend best practices they can adopt to improve data collection and understand risk in real-time.
Are organizations prepared to meet new cyber incident disclosure requirements?
To answer this question, Bitsight analyzed more than 12,000 publicly disclosed cyber incidents from 2019-2022. What we discovered is sobering and suggests that compliance with the Strengthening American Cybersecurity Act will be difficult to achieve.
Cyber incident discovery is a long, slow process. Incidents are typically disclosed after weeks and months, not hours or days. The average organization takes 105 days to discover and disclose an incident from the date it occurred – well beyond the 72-hour rule.
Notably, larger organizations discover incidents 30% faster than smaller organizations, but they are still slow. It takes them an average of 39 days to discover and 41 days to disclose an attack.
Perhaps most alarming is that high severity incidents take twice as long to report. The average organization takes more than 70 days to disclose a moderate, medium, or high severity incident compared to 34 days for low severity events.
How organizations can gain a real-time understanding of their risk posture
New incident reporting laws are a critical step in mandating enhanced security performance, but organizations can do more to improve their security postures and reduce risk.
For instance, remediating vulnerabilities in a timely manner, reducing attack surface exposure, and implementing sound cybersecurity hygiene all measurably reduce the likelihood of a cyber incident, including ransomware.
A separate Bitsight study reinforces these observations. When we examined the security ratings of hundreds of organizations impacted by ransomware, we discovered that organizations with poor security hygiene (as reflected in a low/medium rating) were six times more likely to be a victim than those with higher ratings.
The study also showed that basic hygiene measures such as maintaining a regular patching cadence and configuration management can reduce ransomware risk. Entities that are slow to apply patches are seven times more likely to experience a ransomware attack. Furthermore, organizations with a low security rating for TLS/SSL certificates and configurations are nearly four times more at risk of a ransomware event than those with higher grades.
But as the digital landscape expands, discovering these cybersecurity gaps – before they are exploited – isn’t easy. Bitsight can help.
Using Bitsight’s continuous monitoring tools and data-driven insights, security teams can quickly discover hidden vulnerabilities – on-premises, in the cloud, and across geographies, business units, and remote locations – and take rapid steps to remediate issues.
The same tools can also be used to clearly communicate the organization’s cybersecurity performance to agency and business leaders so they can make more informed decisions about where investments and resources are needed.
Next steps
The Strengthening American Cybersecurity Act is a big first step in enforcing cybersecurity performance management to protect the digital economy and national infrastructure. But it’s not the only law being considered. The Security and Exchange Commission (SEC) has announced a set of proposed rules that require financial services firms to disclose “material” cyber incidents within 48 hours of discovery.
In addition to stepping up monitoring, vulnerability management, and cybersecurity hygiene, organizations impacted by these new requirements should take steps now to improve awareness of disclosure obligations. They must also ensure their incident response plan includes a damage assessment process to determine incident materiality.
For more information about the new requirements and recommended actions, read: From Months to Minutes: Can New Regulations Accelerate the Cyber Incident Disclosure Process?