Executive and Board Engagement Key in Building an ECRM Program that Eliminates Burdens and Ensures Success
In March 2022, the U.S. Congress passed new legislation that will directly impact how healthcare, public health, and other agencies manage cybersecurity and incident response.
Through the Strengthening American Cybersecurity Act (SACA), all critical infrastructure and certain federal civilian agencies will be required to report “substantial” cyber breaches directly to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA).
The final and approved version of this bill draws upon three other bills including the Cyber Incident Reporting for Critical Infrastructure Act, the Federal Information Security Modernization Act, and the Federal Secure Cloud Improvement and Jobs Act.
Through the Strengthening American Cybersecurity Act, healthcare and public health entities must report any significant cyber incident to CISA within 72 hours. Also, if a healthcare entity makes a ransomware payment, the organization must report that payment to CISA within 24 hours.
In addition to healthcare and public health, other sectors of critical infrastructure affected include:
- Chemical
- Commercial facilities
- Communications
- Critical manufacturing
- Dams
- Defense Industrial Base (DIB)
- Emergency services
- Energy
- Financial services
- Food and agriculture
- Government facilities
- Information technology
- Nuclear reactors, materials, and waste
- Transportation
- Water and wastewater systems
The Act may require certain information sharing to help increase coordination between federal agencies. That may include information such as:
- Incident cause
- Incident scope and scale
- Incident impact
- Response, recovery, and remediation activities
- Effectiveness of response, recovery, and remediation activities
- Lessons learned
The Act may also drive more rapid adoption of cloud-based technologies through the Federal Risk and Authorization Management Program (FedRAMP) in the next five years. FedRAMP is a government-wide program promoting the adoption of secure cloud services across the federal government. Based on the NIST 800-53 security controls, FedRAMP offers a standardized approach for security assessment, authorization, and monitoring for cloud products and services and addresses the unique elements of cloud computing.
Formalizing Requirements
The Office for Management and Budget is expected to publish a notice of rulemaking within two years of enactment, with consultation from the Department of Justice, Sector Risk Management Agencies. Within 18 months of issuing that notice, the final rule should be ready for publication.
When the final rule is issued, it should outline which organizations are expected to be in compliance, taking into consideration several areas including how a cyber event could disrupt or compromise an entity, and how it may impact national security, economic security, or public health and safety.
The finalized guidance should also include information about the likelihood a covered entity might be targeted by a threat actor, as well as how an incident might disrupt critical infrastructure operations.
The regulations should also further define exactly what will be considered a “substantial” cyber event, including information about what organizations must include in their reports to CISA about cyber incidents and ransom payments.
According to the Act, some of the factors that may constitute a “substantial cyber event” could include:
- An incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.
- Disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against:
- an information system or network; or
- an operational technology system or process; or
- Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.
These requirements will also take into consideration the sophistication and novelty of attack methods, as well as the type, volume, and sensitivity of affected data; how many individuals are directly, indirectly, or potentially affected; and the impacts on industrial control systems.
The Strengthening American Cybersecurity Act will also guide information that may be required in the incident reports to CISA. For example:
- Incident description
- Identification and description of all information systems, networks, or devices that could be affected
- Description of unauthorized access as related to substantial loss of the confidentiality, integrity, or availability of the affected systems, network, or operations.
- Estimated incident date range
- Operational impact
- What the exploit was and which security controls were in place
- Tactics, techniques, and procedures attackers used
- Any available contact or identifying information about the attacker
- Categories of information subject to unauthorized access
- Relevant agency contact information
Similar information will be required in the ransomware reports. For example:
- Description of the ransomware attack
- Estimated date range of the attack
- Methods, techniques, and vulnerabilities used in the attack
- Identifying and contact information from the attackers
- Who made the payment on and whose behalf it was paid
- Relevant agency contact information
- Date of ransom payment
- Ransom demand (for example, type of virtual currency)
- Ransom instructions (for example, where to send it)
- Amount paid
In addition to the initial reporting requirements, the Act also specifies that organizations will be required to update or supplement reports if at any time substantial new or different information is available. Also, if an entity reports an incident and then later makes a ransomware payment, the organization must update or supplement the initial report.
In cases where an entity experiences a substantial cyber incident and makes a ransomware payment within the initial 72-hour incident reporting requirement, then the organization may be able to submit only one report that meets both incident and ransomware reporting requirements.
What’s interesting is that at least for now, there doesn’t appear to be clear direction about what might happen to organizations that fail to comply with the final rule once it’s issued. For example, what might happen if an organization doesn’t make a report during the required timeframe? What if a report is inaccurate or incomplete?
There is some language, however, that indicates in some incidents CISA may directly request information about a potential incident or ransomware payment with opportunities to issue a subpoena for non-response. That could then lead to a referral to the Justice Department and related actions, such as contempt.
Other Agencies, More Requirements
In addition to upcoming requirements from the Strengthening American Cybersecurity Act, other agencies are also stepping up their expectations regarding cybersecurity and risk management requirements.
In fact, around the same time as U.S. President Joe Biden signed the Act into law, the Security and Exchange Commission (SEC) announced plans to make amendments to rules related to cybersecurity, including cyber incident reporting requirements for public companies.
Why the changes? According to SEC Chair Gary Gensler, it’s because cybersecurity is an emerging risk and investors want more information about how public issuers manage those risks. If the proposed amendments go into effect, Gensler said that it would help strengthen investors’ abilities to better evaluate public companies’ cybersecurity practices and incident reporting.
The proposed changes include:
- Require reporting about material cyber incidents within four business days after a company determines it has had an incident, including:
- When it was discovered and if it’s ongoing
- Description, including nature and scope
- If data was stolen, altered, accessed or used for unauthorized purposes
- Incident effect on operations
- If the incident is remediated or currently undergoing remediation
- Require updates of previously reported cyber incidents
- Periodic disclosure of policies and procedures for cyber risk identification and management
- Information about governance, including the board of directors’ role in cybersecurity risk oversight
- Information about management’s role and relevant expertise related to assessing and managing cyber risks and implementing related policies, procedures, and strategies
- Require board members to disclose if they have any cybersecurity expertise
- Require cybersecurity disclosures in annual reports
It’s worth noting here that the proposed amendments specify that related to cyber incidents, an analysis to determine if the incident is “material” should evaluate all relevant facts and information from a quantitative and qualitative perspective to determine if the incident should be considered “material.”
Some examples include:
- Incident compromises the confidentiality, integrity, or availability of an asset, or violated the company’s security policies or procedures. This could include accidental data exposure or a deliberate attack.
- Unauthorized access resulted in degradation, interruptions, loss of control, damage to, or loss of operational technologies.
- Unauthorized access resulting in the theft or alteration of sensitive business information, personally identifiable information (PII), intellectual property or other information that could result in a loss or liability for the company.
The SEC is receiving comments about the amendments through May 9, 2022.
Adopting a Risk Focus
While CISA works through the details of the Strengthening American Cybersecurity Act and the SEC waits for comments on its proposed amendments, now is the time to take some important steps to strengthen your cybersecurity practices and decreases the chance of a cyber event. Taking these steps now will help ensure your organization is on the right path when new rules go into effect.
There is a push at federal and state levels for organizations to adopt a risk-based approach to their programs. Beyond mandates and regulations, understanding cyber risk is an organizational necessity. Without it, patients, staff, and providers are all at risk as healthcare organizations continue to serve as one of the biggest targets for cyberattacks.
While you can’t eliminate the threat, you can be strategic in identifying your greatest risks and vulnerabilities, understanding how such an event would impact your organization, and improving your risk posture across the organization.
What is an enterprise cyber risk management program (ECRM)?
An enterprise cyber risk management (ECRM) program includes all of the policies, processes, resources, and tools your organization uses to identify and address cyber risks that threaten your organization across your entire enterprise.
But where do you get started? How do you know which components you’ll need to build the most effective and adaptable ECRM program for your organization? How will you get the support you need to affect real change, not just get stuck at the drawing board and never move your risk management strategies from concept to reality?
If you’re planning to build an effective ECRM program, one of the most essential steps you can take is ensure you have the support and backing of your executive leadership team and board of directors. In fact, building these relationships now and strengthening your board and management team’s knowledge about cybersecurity and risk management may help you be more prepared for those new SEC requirements.
While the following activities don’t require the direct involvement of your executives and board members, it’s important they understand what these activities are, why your organization needs them, and their role in ensuring these activities happen within your organization. For example, your board should play a role in:
- Identifying and prioritizing your organization’s unique risks
- Setting your organization’s risk appetite, which will serve as a foundation for your risk management decisions
- Making policies that govern risk management and risk treatment decisions
An ECRM isn’t a one-and-done process-rather an effective ECRM program is an ongoing journey that will need continuous support and feedback from your executives and board members.
As your executives and board members enhance their knowledge and involvement at a high-level, they can ensure the organization has the tools, resources, and other support necessary for success. Some might argue that your executives and key stakeholders are essential to this because they will have a broad organizational-wide perspective and the necessary authority to get your ECRM program up and going and strengthen it over time.
If you’re not sure where to start, consider engaging a partner who can help you identify your unique set of threats, vulnerabilities, and risks as well as a plan that will address the specific needs of your organizations and will ensure you meet regulatory requirements.
If you plan to get started on your own, the NIST CSF offers solid guidance that can help you plan for and document what you’re going to do to as you create and implement your ECRM program, including insight into the key pieces that will make up your ECRM. Not only are these industry recognized best practices, but they’re available online at no cost.
When it comes to maturing your ECRM over time, make it part of your organizational culture, not just awareness about what ECRM is and why it’s important, down to the individual employee level, but make it clear that it’s a unified team effort to improve your enterprise risk management practices over time. You may find some helpful ideas in NIST’s resource, Building Cybersecurity Capability, Maturity, and Resilience.
Next Steps
Now that you understand more about cybersecurity risk management requirements, here are some additional actions you can take to establish, implement, or strengthen your ECRM.
- Formally define and document which framework and strategy your organization will use to develop your ECRM.
- Formally document and define the processes you’ll undertake to implement your ECRM.
- Formally define and document processes and plans to identify gaps in your ECRM and mature your practices over time.
- Consider engaging with a third-party such as Clearwater to support you on your ECRM journey from concept through implementation, and along the way as you mature your program.
Have questions? Need help developing, implementing, or maturing an ECRM to help your organization meet new cybersecurity reporting requirements? Contact a Clearwater advisor today. We’ll be happy to help. Also, consider joining Clearwater Founder and Executive Chairman Bob Chaput for an ongoing video series about how to put cyber risk management into action. You can find a full list of all of the episodes in the ECRM series here.