PYMNTS Intelligence Banner June 2024

Industry Groups Push Back Against Federal Cyber Incident Reporting Requirements

If digital transformation is at the forefront of innovation, then cybersecurity is at the forefront of digital transformation.

As the world goes digital, security-critical sectors like healthcare, finance and more are finding themselves increasingly vulnerable to cyberattacks.

With the news that the Cybersecurity and Infrastructure Security Agency’s Cyber Incident Reporting for Critical Infrastructure Act is set to go into effect next year, several infrastructure providers across sectors including healthcare and utilities, among others, have used the extended public comment period to push back against the new regulations aimed at bolstering America’s cybersecurity posture.

The proposed regulations mandate that organizations within critical sectors, including healthcare, report significant cyber incidents to CISA within a 72-hour window. Additionally, ransomware payments must be reported within 24 hours. The move is designed to enhance the collective defense against cyber threats, allowing for a more coordinated response to incidents that could potentially disrupt essential services.

CISA is concerned that the agency isn’t learning about cyberattacks in a real-time fashion, which makes it challenging to warn other companies about known vulnerabilities as well as to help victims within the relevant window. In a video, CISA Executive Director Brandon Wales stressed that the proposed mandated reporting is “not so we can hold people accountable, but so we can use that information for the benefit of the overall cybersecurity ecosystem.”

However, the proposal has been met with mixed reactions from various stakeholders.

A Call for Enhanced Cybersecurity Reporting and Collaboration

One of the more prevalent concerns threaded throughout the public responses to the proposal was around the definition of which organizations are required to report incidents, as well as what incidents themselves are required to be reported.

Regarding the businesses that qualify, CISA indicated that it would follow the government’s sector-specific guidelines for critical infrastructure and adhere to a system that uses a federal measurement for what is considered a small business.

The National Retail Federation, an industry trade group, argued in its public letter that retail cyberattacks have little impact on national security and public safety, and so the businesses it represents should be fully excluded. The Enterprise Cloud Coalition also expressed concern about the proposal’s requirement for third-party service providers to report incidents.

Other industry groups highlighted in their comments that CISA’s definition of a “substantial cyber incident” could be ambiguously interpreted and potentially lead to inconsistencies in reporting and compliance.

The Workgroup for Electronic Data Interchange, an advisor on health IT, said it “strongly supports the intent of CIRCIA” but also shared concerns regarding the practicality of the proposed timelines for reporting incidents. WEDI argued that the 72-hour window may not provide healthcare entities with sufficient time to accurately assess and report an incident without compromising their ongoing response efforts.

Concerns around the reporting timelines were echoed by the College of Healthcare Information Management Executives and the Association for Executives in Healthcare Information Security.

CISA did not immediately reply to PYMNTS’ request for comment.

See also: Scaling Effective Cyber Hygiene Throughout Your Business

The Cyberthreat Attack Surface Is Growing

The proposed requirements come against a backdrop where cyberattacks are happening with greater frequency and impact.

HealthTech company HealthEquity suffered a data breach that was announced Wednesday (July 3), while a patient affected by another “data security incident” involving Pennsylvania-based health system Geisinger filed a class-action lawsuit against the company.

In other cybersecurity announcements, news broke Thursday (July 4) that OpenAI was hacked last year, raising security fears at the artificial intelligence company. Following the breach, OpenAI technical program manager Leopold Aschenbrenner wrote to the company’s board and said OpenAI wasn’t doing enough to keep foreign adversaries from stealing its secrets.

“Identity theft, phishing and data breaches have all become more prevalent,” Mike Storiale, vice president of innovation development at Synchrony, told PYMNTS in February.

PYMNTS Intelligence found that 82% of eCommerce merchants endured cyber attacks or data breaches in the last year, with 47% of these companies saying the breaches led to lost revenue and lost customers.

Meanwhile, cyber insurance premiums are declining around the globe.