New reporting requirements for cyber breaches — what you need to stay compliant

reporting

It’s no secret that our rapidly-aging Congress are often well behind the times technologically speaking. That said, they actually have made some fairly substantial progress on the cybersecurity front legislatively. So much so, actually, that companies are having to completely rethink their entire defense posture in light of new legislation; specifically, with new reporting requirements from both the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Securities and Exchange Commission (SEC), businesses must navigate a more complex regulatory environment than ever before.

I recently had the opportunity to speak with Jenifer McIntosh from Stinson LLP — she offered invaluable insights into these evolving requirements. Here’s what businesses of all sizes in Texas need to know:

New Cybersecurity Reporting Requirements

The proposed CISA reporting requirements are part of a broader effort to bolster national cybersecurity defenses. According to McIntosh, “The US Securities and Exchange Commission (SEC) proposed rules requiring publicly traded companies to report cybersecurity incidents, their cybersecurity capabilities, and their board’s cybersecurity expertise and oversight to the SEC.”

This means that businesses must establish robust reporting capabilities. Under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), entities must report cyber events within tight timeframes — 24 hours for ransom payments and 72 hours for other cyber events. This requirement makes silent ransom payments virtually impossible, aiming to increase transparency and accountability. It also means that consumers or customers of companies won’t be kept in the dark for months after a data breach occurs… which we’ve seen time and again over the last few years.

McIntosh explains, “Under SEC rules, all publicly traded companies must disclose ‘material’ cyber incidents to the agency within four days of discovery, as well as any immaterial incidents which collectively become ‘material.’ They must also report incident and defense information to their investors and shareholders in their annual reports, requiring board members to understand the company’s cybersecurity position.”

Implications for Texas Businesses

The implications of these new rules are far-reaching. Given the sheer size of the business community in Texas, these regulations necessitate a significant overhaul of existing cybersecurity protocols. The scope of the CIRCIA rules is broader than any state or existing Gramm-Leach-Bliley Act (GLBA) reporting requirement thus far. They aren’t limited to breaches of personal data but rather encompass any event leading to substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network.

What Businesses Need to Do

For many Texas businesses, especially small and medium-sized businesses (SMBs), these requirements might seem daunting. However, they also represent an opportunity to strengthen cybersecurity frameworks and enhance resilience against cyber threats. Here are some steps businesses should consider:

  1. Establish Robust Reporting Mechanisms: Ensure that your organization has the capability to report cyber incidents promptly and accurately. This includes setting up systems to detect and log incidents, as well as training staff to recognize and respond to potential threats.
  2. Enhance Board Oversight: Boards must be well-versed in the company’s cybersecurity posture. This involves regular briefings on cybersecurity risks and strategies, and ensuring that cybersecurity expertise is present at the board level.
  3. Conduct Regular Cybersecurity Audits: Regular audits can help identify vulnerabilities and ensure compliance with the latest regulations. These audits should be comprehensive, covering all aspects of the company’s information systems and networks.
  4. Invest in Cybersecurity Technologies: From advanced firewalls to intrusion detection systems, investing in the latest cybersecurity technologies can provide an additional layer of defense against cyber threats.

The Role of Managed Service Providers (MSPs)

Given the complexity of these new requirements, many businesses might find it challenging to comply without external assistance. This is where Managed Service Providers (MSPs) like Leverage Technologies come in. MSPs can offer the expertise and resources needed to navigate these regulations, ensuring that your business stays compliant and secure.

At Leverage Technologies, we specialize in helping businesses manage their cybersecurity needs. From setting up robust reporting mechanisms to conducting regular audits and providing state-of-the-art cybersecurity technologies, we can help your business meet the new reporting requirements with confidence.

Don’t let the new cybersecurity regulations overwhelm you. Contact Leverage Technologies today to learn how we can help your business stay ahead of the curve and secure against cyber threats.