On March 1, 2022, the Strengthening American Cybersecurity Act of 2022 (SAC) was unanimously passed by the US Senate. The legislation is a combination of three bills: Title I, the Federal Information Security Modernization Act; Title II, the Cyber Incident Reporting Act; and Title III, the Federal Secure Cloud Improvement and Jobs Act.
The focus of this alert is on SACA’s proposed cyber incident reporting obligations, which would require “covered entities” to report any cybersecurity incidents that have a reasonable likelihood of causing substantial harm to the United States economy or national security. Given the broad scope of this definition and the potential consequences for noncompliance, companies should begin preparing now for these new reporting requirements.
What You Should Know:
- The Strengthening American Cybersecurity Act will help protect the United States from cyberattacks.
- It is a bipartisan bill that passed the House of Representatives with a vote of 228-194.
- This legislation would provide funding for cybersecurity research and development, as well as voluntary information sharing between private sector companies and the Department of Homeland Security.
- It also requires DHS to create standards for securing internet-connected devices.
The Strengthening American Cybersecurity Act of 2022 creates the Office of Critical Infrastructure Protection within DHS, which will serve as the primary point of contact for critical infrastructure entities to share information about threats and incidents with the federal government.
“Currently, the government is fragmented and there are no open channels for communication from DHS to the private sector”, said Robert Giannini, Chief Security Officer and CEO of GiaSpace. The Strengthening American Cybersecurity Act of 2022 will help to close this communication gap and improve the visibility of cyber attacks across the private sector.
Key Provisions of SACA That Will Help to Improve Cybersecurity in America
The Strengthening American Cybersecurity Act of 2022 includes several provisions that are designed to improve cybersecurity in America. Some of the key provisions include:
- Requiring covered entities to report any cybersecurity incidents that have a reasonable likelihood of causing substantial harm to the United States economy or national security.
- Establishing a Cybersecurity Incident Review Board to coordinate the federal government’s response to major incidents.
- Providing liability protection for companies that share information about cybersecurity threats with the government.
- Strengthening the Department of Homeland Security’s (DHS) cyber incident response capabilities.
- Authorizing funding for DHS to carry out its cybersecurity responsibilities.
The passage of this legislation is a clear sign that the policy environment around cybersecurity is changing rapidly. Companies should take note of the reporting requirements and begin preparing now to ensure compliance. Failure to comply could result in substantial fines or other penalties.
Addressing Cybersecurity Threats
The Cybersecurity and Infrastructure Security Agency (CISA) has been established to help protect the US from cyber threats, with an emphasis on critical infrastructure sectors like energy or transportation systems that are vital for our nation’s safety.
Under this new bill, the Cybersecurity and Infrastructure Security Agency (CISA) will be tasked with assessing the cybersecurity risks faced by critical infrastructure providers. The goal of CISA’s assessments would be that they would identify any vulnerabilities in your organization’s security posture so you can better understand what type or level of threat best suits each vulnerability before making changes.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act) requires critical infrastructure entities and civilian federal agencies to report any “substantial cyber incidents” they have experienced, as well as provide details on how those attacks were prevented or mitigation measures were taken so that we can all safely operate in this new digital world.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 would require critical infrastructure entities and civilian federal agencies to report any “substantial cyber incident” within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Said Technijian founder, Ravi Jain, “I think this is good that they have a central agency, the CISA, that will house all cybersecurity incidents within 72 hours. Forcing sharing of information between federal agencies and allowing federal agencies to adopt cloud-based technologies that will help secure the data by forcing identity management for users to access that data.”
“This unprecedented, bipartisan package should be a great guideline by which communication is followed in the case of a cyber attack. Unfortunately, this is only applicable to critical infrastructure owner organizations or government agencies. I do believe and hope that private enterprises will shortly follow with similar types of requirements. Reporting requirements in the case of a cyber attack or ransom or payment are critical for the United States to be able to acquire information and respond accordingly”, said Ilan Sredni, CEO and President of Palindrome Consulting, Inc.
“Although I see a few hurdles to nail this down properly, I believe it is a great start. Not all organizations will report the incident or vulnerabilities in the same way. This will require additional resources both from the affected party and from the cyber security and infrastructure agency (CISA) to manage and address all of these reports. Lastly, the private enterprise works very closely with infrastructure owners and operators and therefore becomes a very important piece of the security process”, Sredni continued.
How Will The Strengthening American Cybersecurity Act of 2022 Impact IT Companies?
In the past, there have been many instances where IT companies have not been required to report data breaches in a timely manner, if at all. This has led to serious consequences for both the companies and clients involved. The Strengthening American Cybersecurity Act is a piece of legislation that will aim to help protect both businesses and consumers from future cyber attacks.
“This will require all companies to be responsive in reporting any cyber security breaches to the government as they occur within 24 to 72 hours and any additional issues as they occur. This will put a strain on many companies to first identify a breach and classify it properly to report it. Larger companies can afford to have a staff or external IT consultant or managed service provider monitor and help in detecting and reporting these incidents quickly and efficiently”, said Anthony Buonaspina, BSEE, BSCS, CPACC, CEO and Founder of LI Tech Advisors.
He continued, “However, many small companies don’t have the luxury and finances to afford an IT staff or even a managed service provider. They also don’t have the technical knowledge or services deployed to be able to detect and effectively remediate breaches. Many times a cyber security breach can put a smaller company completely out of business.”
The Strengthening American Cybersecurity Act of 2022 would require IT companies and other companies to take several steps to improve their cybersecurity posture and address data breaches. Among other things, the legislation would:
- Establish national standards for cybersecurity practices.
- Require companies to have a written policy on how they will respond to a data breach.
- Create a federal standard for data breach notification.
“What I say that needs to happen is along with these new government guidelines and reporting requirements. The government also needs to help fund the necessary services to not only avoid having a breach in the first place but help fund the remediation as well as assist to strengthen their internal cyber security infrastructure. A good approach might be to offer small and medium-sized businesses an incentive in the form of tax reductions for them to use that funds to strengthen their internal cyber security infrastructure and employee training”, Buonaspina said.
When asked is it fair that companies that do everything in their power to protect themselves from cyber breaches can still get hit with fines and resources, ultimately making them more vulnerable than ever, Buonaspina said:
“If a company shows that they’ve done all that is possible to fortify their defenses and they still get a cyber breach, they should be exempt from any fines that might be imposed and should be offered resources to allow them to recover from their breach. 50% of all businesses have been breached and the other 50% have been as well but just don’t know it yet. Even with the deepest moats and the highest walls, a company or organization can still be breached, especially with a targeted attack. It’s not just about how to prevent and avoid a breach but also how to recover after it and I believe the government should help with both.”
The Strengthening American Cybersecurity Act is a response to the growing threat of cyberattacks, which have become increasingly sophisticated and expensive. In recent years, companies have been the target of high-profile attacks, such as the 2017 Equifax data breach, which exposed the personal information of 145 million people. The Act is a step in the right direction to protect businesses and consumers from cyberattacks. However, it remains to be seen how effective it will be in practice. Cybersecurity is a complex issue, and the Act is just one piece of a larger puzzle.