The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires companies operating in critical infrastructure sectors to report covered cyber incidents within 72 hours of their reasonable belief that a cyber incident has occurred and report within 24 hours after a ramson payment. Critical infrastructure sectors, as defined in a 2013 presidential policy directive, include financial services, telecommunications, information technology, healthcare, energy, and others.
The U.S. Securities and Exchange Commission has stepped in with its own efforts to improve disclosures around cybersecurity risk management and governance including a proposal for companies to report Cyber incidents within four days of the incident that has been deemed material.
The SEC maintains that swift reporting would “significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures.” In our industry, however, determining whether the incident really rises to the standard of materiality is not a straightforward endeavor.
With the pressure of classifying the incident correctly, we as an industry need to find a formula to quickly determine what “material” means. Experiencing an incident of high importance does not necessarily mean its impact is material.
In the case of a pharmaceutical company, for instance, if someone working for the company deliberately, or even inadvertently, discloses information that will affect the stock, like the failure of a clinical trial and the stock plunges as a result, which is clearly a material incident, there is no room for debate.
On the other hand, say a company has a ransomware attack. This is a high-impact event, and instinctively may lead to a rush to report it. What if the organization was able to recover quickly, operations were not interrupted, and no information was compromised that were known of?
This leads to the fact that some things are very easy to determine; others are less so – especially when the time frame for reporting is so short. We want to prevent reporting things and putting our organizations in the public realm by publishing reports prematurely. On the other hand, keeping our mouths shut and crossing our fingers hoping for the best is obviously not a strategy, either.
“The plain truth is that many CISOs don’t understand materiality,” Malcolm Harkins, a fellow at the Institute for Critical Infrastructure Technology think tank, said in an April report.
The purpose of materiality, Harkins said, is to ensure that accurate and relevant information is relayed to investors and shareholders so they can make informed business decisions and understand the business’s performance.
Harkins has identified three primary types of impact an incident can have: financial, brand and societal. He looked at this axis through the lens of the infosec triad — availability, confidentiality, and integrity — and created a matrix to explore impact.
Cybersecurity leaders need a matrix of this sort, a framework to help us determine quickly whether an incident is material or not. It will not guarantee everything, but we would have a good starting point for performing due diligence.