Governance, Risk and Compliance, Government Regulations

Three ways to prepare for the upcoming CIRCIA cyberattack disclosure law

Secure By Design Pledge
Today’s columnist, Anthony Cusimano of Object First, points out that CISA published the CIRCIA rules for public comment this summer and the new law will go into effect next year. (Adobe Stock)

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), set to go into effect next year, requires critical infrastructure organizations to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).

The guidelines, as outlined by CISA, were open to public comment over the summer, and the resounding consensus was that many critical infrastructure companies don’t feel prepared to report cyberattacks within the 72-hour required window and ransomware payments within 24 hours.

The hours following a cyberattack are hectic, confusing, and overwhelming, with many often finding that hours can quickly turn into days. If organizations do not have a plan in place before an attack occurs, it’s difficult to coordinate internal efforts to report an attack and identify what needs sharing, all while simultaneously dealing with potential ransom demands, outages in operations, and general chaos.

As companies prepare for CIRCIA there are at least three steps they can take: engage a breach counsel, develop a plan of action should primary infrastructure be taken offline, and strengthen their backup infrastructure. These steps will help to ensure compliance with upcoming regulations while prioritizing business continuity.

  • Engage a breach counsel: Critical infrastructure companies will need a legal team that can offer guidance and advice in the case customer data becomes exposed during an attack. This team can help stay on top of regulations such as CIRCIA and the U.S. Securities and Exchange Commission (SEC)’s cybersecurity disclosure rules to ensure compliance and coordinate a legal response. Having a breach counsel offers a sense of calm and security during the storm – a group of people with experience in cyberattacks who bring a third-party perspective and can approach decision-making from an informed and impartial point of view.
  • Develop a plan of action: Create a response plan that all relevant stakeholders have access to and assign roles so that everyone knows what they should do following an attack, whether engaging other team members, handling external communications, or triggering a restore. One often overlooked step that can become a logistical nightmare if not considered in advance is how the team will communicate during a cyberattack lockdown. Threat actors may take systems offline, or internal teams may need to shut down systems to prevent further damage, preventing employees from being able to access corporate email accounts and directories. Find alternative methods of communication with colleagues, such as LinkedIn, so that everyone can stay in contact.
  • Strengthen the organization’s backup plan: It’s essential to have backups of any important documents that the company needs to access in the event of an attack, such as legal procedures, potentially impacted clients, and how to contact them. Backups are something that everyone cares about only when it’s too late. These backups are the star of the show following an attack, when they’re the last hope to recover essential company data, but are often glanced over during day-to-day prioritization. IT teams are likely already intimately familiar with the company’s backup infrastructure. Still, for effective and informed decision-making following an attack, leaders outside of the IT team also need to understand how they can restore data. Companies will want to avoid downtime as much as possible and keep core business functions running.

    • Start by identifying a Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RPO measures how often data gets uploaded from the primary network to the backup. The lower the RPO, the more up-to-date the backup, meaning there’s less data lost when it comes time to recover. RTO measures how long it takes to restore systems from the backup. Both objectives determine how much data the company can restore and how fast; crucial information that informs a post-attack strategy. However, it's nearly impossible to maximize resiliency without testing before an attack. While it’s desirable to shorten RPO and RTO, it’s not possible get there without running simulations and recovery tests. Conduct a staged restore or other test run to work out the kinks and optimize RPO and RTO to what works best for the business. Ensuring the content of the backups are protected and consequential, as cybercriminals now target backups to try to leave organizations without any option but to pay the ransom to get their data back. Immutable object storage ensures that data cannot be encrypted or deleted by anyone once it has been written, including employees and threat actors alike.

    Having a plan for what immediate actions to take following an attack and how to restore data to bring operations back up and running mitigates the disruption and confusion following an attack. This will make it much easier for companies to report breaches, cyberattacks, and ransom payments to the government, law enforcement, impacted customers, and other stakeholders faster -- and with more information.

    Anthony Cusimano, technical director, Object First

    Related

    US cyber progress potentially jeopardized by proposed State Department overhaul

    Significant strides made by the U.S. in combating international cybersecurity threats and forging digital collaborations with other nations were noted by cybersecurity experts and former officials to potentially be endangered by the Trump administration's plan to transfer the Bureau of Cyberspace and Digital Policy to another department and establish a new cyber threat-focused bureau as part of a State Department overhaul, reports Cybersecurity Dive.

    Related Events

    Get daily email updates

    SC Media's daily must-read of the most current and pressing daily news

    By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

    Related Terms

    Business Impact Analysis (BIA)British Standard 7799Chain of CustodyCompetitive IntelligenceData CustodianDue CareDue Diligence

    You can skip this ad in 5 seconds