This is a post that I wrote for Claroty and is available on their website at: Don’t Call it an Incident–Yet: Managing Liability in a New Era of Incident Reporting and Compliance | Nexus (nexusconnect.io)
When a cyber crisis strikes, a call comes in about a potential cybersecurity issue to a company’s incident response (IR) team. An initial triage is done, and if a company needs to respond, an incident is declared, teams are convened, and the relevant players jump on a conference call to begin response coordination and activities. With more than a dozen incident notification laws in effect around the world, it’s time for Chief Information Security Officers (CISOs) and IR teams to think about the consequences of declaring an incident: timing is everything.
Incident reporting or notification regulations have been growing in number, driven by a concern that governments lack visibility into the impact of incidents in critical infrastructure. The attack on SolarWinds is a prime example of why we now have the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA); the government wants to know what’s happening, and often as quickly as possible. That’s why incident notification reporting requirements range from as little as two hours to as long as 72 hours —which can create real challenges for incident response teams still trying to understand the attack in the first few hours and days of the attack.
The government call for incident reporting isn’t new—the EU and Australia began incident notification in 2018. But 2023 was a year of dramatic change in this space. The EU expanded its incident notification regulation, and the Securities and Exchange Commission (SEC) flexed its muscle last summer when it demanded that publicly traded companies file public notification statements within 72 hours of a material cybersecurity incident. In the next few weeks, the Cybersecurity and Infrastructure Security Agency (CISA) will release its Notice of Proposed Rulemaking (NPRM) for Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which will help develop the final implementation for incident reporting for critical infrastructure in the US.
Declaring the Incident: Starting the Clock
For cybersecurity teams, these notification regimes and timelines present a challenge. Now, the formal declaration of an incident—particularly in writing—sets a series of legal obligations in motion that may start the notification clock. Once an incident is formally declared, then companies must be on the lookout for facts or elements that may require reporting, including “attacks or incident affecting digital payment systems” (India: 6 hours), or reporting “as soon as practicable, and in any event within 12 hours” for critical cyber incidents (Australia), or within 24 hours of a ransomware payment (U.S.: CIRCIA).
Incident response teams should think about how they initiate investigations and the legal regimes that would generally apply to the products and services offered by the company.
As a result, incident response teams should think about how they initiate investigations and the legal regimes that would generally apply to the products and services offered by the company. A company’s IR lead should engage counsel early for events that appear to be on a growing trajectory. That allows attorneys to assess whether incident notification obligations may be present, and whether there are sufficient facts present to declare an incident as defined in relevant law, or if that incident is material to the company as a matter of law. If the lawyer and the IR team agree that one of the many incident notification regimes may be triggered, the lawyer can then work with the data available to begin preparing the initial filing within the time required under the regulation, which can be as short as two hours in some circumstances. In most cases, there will be multiple reports filed as the facts become more apparent.
Make Legal a Part of Your Standard IR Team
Going forward, every IR team will need a cybersecurity lawyer, monitoring the event and assessing whether the facts are sufficient to declare a legal incident and begin formal cyber incident notifications or reports. The IR teams will need to focus on uncovering the technical narrative without the additional burden of determining whether an incident report is required in multiple jurisdictions against a range of definitions and requirements. In addition, the lawyer will need to work with the communications team to manage the challenge of external messaging for customers and the public. That messaging needs to be consistent with what is provided to the regulators, as well as with the government relations teams, which will need to explain the incident and initial reports to senior government officials who become engaged through public reports. Given the frenetic nature of any cyberattack, being clear on when a company moves from triage to incident will be important to managing overall risk and response.
In addition, companies will need attorneys with deep cybersecurity expertise to review response plans and ensure that there are clear processes and timelines for meeting these new legal and regulatory cybersecurity requirements and think through how to balance incident notification and reporting obligations with privacy and breach notification requirements, law enforcement engagement, and other legal considerations that arise during incidents. For publicly traded companies, this legal expertise becomes essential when incident reporting includes filing an 8-K with the Securities and Exchange Commission, signed by an officer of the company, or the CISO.
Stay Grounded in Reality
Companies cannot delay declaring an incident by remaining in a triage and investigatory holding pattern. What companies can do is be intentional about the declaration, so that when the clock starts, every minute matters. While companies may be more intentional when deciding whether an event is an incident, or whether an incident is material to a company, this intentionality does not change the fact that the threat will still need to be investigated and understood, and the technical teams will still need to assess the risk to the company or its customers. Privacy and data breach notification regimes have had similar reporting requirements for several years. The fact that cyber is finally catching up should not be a surprise, but an opportunity for companies to fine tune their IR processes and prepare to respond quickly in the event a true crisis occurs.