In a new congressionally mandated report, DHS acknowledges the problems faced by critical industry sectors of overlap and duplication in cyber incident reporting.
In a new report, the Department of Homeland Security assessed more than 50 existing and proposed federal cybersecurity incident reporting requirements with an eye to ironing out duplicative, confusing and overlapping rules.
The document from the Cyber Incident Reporting Council at DHS highlights "challenges to harmonization of these requirements" and looks to develop a model reporting structure with common data elements for regulated companies.
The report, titled Harmonization of Cyber Incident Reporting to the Federal Government,was mandated under the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
Current cyber reporting requirements are derived from a “patchwork” of regulations and laws, according to the report, which identifies “significant variation” of requirements across 16 critical infrastructure sectors. For example, in the financial services sector, the report identifies eight separate agencies with regulatory oversight that have cyber incident notification requirements.
The report notes that, "agencies with cyber incident reporting requirements typically have their own reporting mechanisms and methods for ingesting reports. As a result, reporting entities that are regulated by more than one agency are required to submit multiple reports while potentially managing and responding to an incident and its immediate impact."
DHS developed eight concrete recommendations: adopting a model definition of reportable cyber incidents; developing reporting timelines and triggers; providing notifications for potentially-affected covered entities; evaluating the feasibility of implementing a cyber incident reporting model; streamlining the model and existing reporting mechanisms; incorporating supplemental upgrades and reviews; adopting common terminology across agencies; and increasing agency coordination.
DHS also supported legislative changes including removing statutory barriers to harmonization, funding for incident data sharing, and improving clarity around Freedom of Information Act disclosures related to cyber incidents. In the past, companies have expressed concern about trade secrets potentially being disclosed in FOIA returns to requesters.
“The efforts of the CIRC are at the beginning, not the end,” the report concludes.