Darkreading.com reported that “When President Biden signed the omnibus spending bill Tuesday, he also put the bipartisan Cyber Incident Reporting Act into effect, which requires critical infrastructure companies in the 16 industry sectors identified by the federal government to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyberattack and within 24 hours of making a ransomware payment.” The March 16, 2022 article entitled “What the Newly Signed US Cyber-Incident Law Means for Security” included these comments from Tom Kellermann (head of cybersecurity strategy at VMware) that “It’s a game changer”:
It’s a fundamentally important strategic decision made by the federal government to finally eliminate the plausible deniability that had existed for far too long. …
Corporations have [for some time] underinvested in cybersecurity because they could always maintain plausible deniability.
Kellermann argues that the new law will force companies to hire a CISO, give that person a budget, and provide detection response oversight.
Companies need to show that they are taking this seriously,…
They will either have to hire a CISO, or if they already have one, promote the CISO and make sure they have veto authority over the CIO.
The general counsel will also have to become more familiar with privacy and cyber laws.
They will need to work hand-in-hand with the CISO in their information-sharing efforts in public-private partnerships with the ISACs and working with CISA.
Given the shortage of CISOs this may be a challenge!