Cyber incident reporting

Industry Calls for Longer Cyber Incident Reporting Timeline

Cybersecurity companies and industry groups asked lawmakers to give organizations at least 72 hours to report cyber breaches to the federal government as opposed to the 24-hour deadline outlined in a Senate bill circulating in Congress.

Calls for an extended cyber incident reporting timeline were raised during a hearing of a new cyber notification bill introduced by Reps. Yvette Clarke and John Katko, The Hill reported.

Ron Bushar, vice president and global government chief technology officer at FireEye Mandiant, told lawmakers that a reasonable amount of time is needed to properly assess cyberattacks and limit reporting of false positives and redundant or contradictory information.

John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, said during his testimony that legislation should allow for reasonable reporting timelines commensurate with incident severity levels.

“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller testified.

Heather Hogsett, senior vice president of technology and risk strategy at the Bank Policy Institute’s Technology Policy Division, argued that three days is enough to give firms sufficient time for investigation and implementation of response measures.

According to Hogsett, efforts during the initial stages of an incident response should not be spent completing compliance paperwork.

The push for reporting cyber incidents comes as the U.S. government hopes to stem the tide of major cybersecurity incidents like the SolarWinds Orion hack and the ransomware attack on Colonial Pipeline.