“A lot of the real details are going to have to be worked out in the process of formulating,” said Christopher D. Roberti, Senior Vice President of Cybersecurity Policy, Intelligence, and Supply Chain at the American Chamber of Commerce. occlusion.
The law requires the cybersecurity agency to work with companies because it defines the rules, so business leaders will have a say in how the law should be applied.
Cyberattacks disrupted operations at major US businesses last year, including JDS Foods, a meat supplier, and Colonial Pipeline, an East Coast fuel supplier. Both attacks interfered with Americans’ ability to obtain essential supplies and created urgency for lawmakers to act.
Senators Gary Peters, a Michigan Democrat, and Rob Portman, an Ohio Republican who authored the incident reporting law, said the legislation would help companies like JDS Foods and Colonial recover more quickly. after such attacks. The cybersecurity agency should be able to provide them with guidance and assistance during the recovery process.
Delayed disclosure has been costly for companies. In 2018, Yahoo had to pay a $35 million fine for not disclosing a 2014 hack in time, and executives could find themselves facing criminal charges, as in case of a former Uber executive who has been charged with obstruction and fraud in the handling of a 2016 data breach at the ride-hailing company.
Things to know about Ransomware attacks
“We have heard from companies in the last year or so that the incident reporting landscape is inconsistent and inconsistent,” said Courtney Lang, senior director of policy at the Information Technology Industry Council. how lost”. “With the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think that incident reporting can provide useful information that can help form specific responses.”
While similar rules are being considered in Europe and other federal agencies in the United States, company leaders hope that the new federal law will serve as a model for lawmakers and officials. other government agencies, allowing companies to avoid the mess of overlapping incident reporting requirements.