Centralized Cyber-Incident Reporting Can Improve Effectiveness

COMMENTARY

UnitedHealth CEO Andrew Witty addressed separate hearings in the Senate and House on May 1 to testify about the devastating Change Healthcare cyberattack in February that affected millions of Americans and incurred nearly $1 billion in costs. 

While promising to fix glaring security flaws — such as the lack of multifactor authentication (MFA) on the Change Healthcare portal — Witty also said UnitedHealth supports "standardized and nationalized cybersecurity event reporting" as part of efforts to strengthen the country's national cybersecurity infrastructure.

Considering that cyber-incident reporting regulations abound worldwide, frequently even overlapping, this part of his testimony drew no real pushback. The big question, however, is: How realistic is this? 

Companies and other organizations face an ever-expanding set of regulatory and reporting standards, depending on their operations and the data they handle, from the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) and the EU General Data Protection Regulation (GDPR) to Security and Exchange Commission rules to the Health Insurance Portability and Accountability Act (HIPPA) and many others. In all, there more than 200 regulations that could apply, many of them with increasingly shorter reporting deadlines — and some of them with teeth in the form of fines, penalties, and even prosecutions. 

When a company has a cybersecurity incident, it would be very beneficial to have one central place to report, rather than reporting to a host of applicable regulatory bodies. In its September 2023 report, "Harmonization of Cyber Incident Reporting to the Federal Government," the Department of Homeland Security (DHS) recommended the creation of a single portal to "streamline the receipt and sharing" of information. That central reporting location could then provide the necessary information to other regulators.

The best prospect for such a seamless reporting system lies in something that's been in existence for eight years: the National Cyber Incident Response Plan (NCIRP).

The NCIRP Could Centralize Cyber Reporting

The NCIRP, now mandated by the Biden administration's National Cybersecurity Strategy, is currently being updated to better address evolving threats, as well as to promote cooperation among the private sector, regulators, federal agencies, interagency partners, and state, local, tribal, and territorial (SLTT) governments, as well as other entities. The Cybersecurity and Infrastructure Security Agency (CISA) plans to release the update before the end of the year.

The NCIRP will follow four principles:

The goal of NCIRP is to provide a framework for cyber incident coordination. Making it a central location for reporting and a repository for other regulatory bodies would simplify reporting for companies and other organizations, making full compliance more likely.

Companies Need to Change Their Approach

Companies, meanwhile, need to do their part, starting with implementing a robust program for cybersecurity response and reporting that focuses on operationalizing responses that emphasize transparency. This might seem obvious, but it runs counter to the way many companies have operated.

For one thing, it's rare that anyone uses the paper-based incident response plans they've created when dealing with an incident. Generally, these plans tend to be high-level documents that provide only an overarching view of a process. Plans that go into more depth often are so overly detailed and long that trying to follow them usually is not practical in an emergency. It is the equivalent of pulling out an encyclopedia when your house is on fire. Instead, people go with their gut, with what they've done before, and as a result, with many other stakeholders involved, it becomes chaotic.

For another thing, being transparent about incidents is a new concept in the industry. For legal reasons, the traditional approach was to minimize documentation of incidents to avoid creating additional liability — don't write anything down, communicate only by phone, and make sure as few people as possible know about an incident. New reporting regulations are changing that. Now, companies face greater potential liability if they don't report openly or create an audit trail. It is essential that companies can demonstrate that they handle cyber incidents quickly, effectively, and responsibly.

Companies need to wake up and embrace the new era of transparency. They need a comprehensive program that ensures teams are doing the right things at the right time and that they are showing their work. When looking at incident response preparedness, they must recognize that a plan is not a program and should focus on how to operationalize their response as part of a practiced procedure that is digitized. In doing so, they will more easily be able to provide regulators, and ultimately their customers, with the information they need so that they can take any necessary actions to protect themselves.

Transparency and Collaboration Can Protect Companies

Fostering transparency and creating audit trails will allow companies to meet their new shared responsibilities and the goal of better information sharing and collaboration, which are also part of the new national strategy. Regulators will then be able to use the notification requirements to help coordinate a collective response.

A unified system with a central reporting location also could help provide companies with a safe harbor against liability charges if they've acted transparently and in good faith. Government regulators could be clearer about this. For example, CISA says that information delivered in a timely manner won't be used against a company, but some companies are worried that the SEC could use notifications to launch an investigation. A central reporting location could establish clear rules regarding the consequences of breaches, while still holding companies accountable for their cybersecurity.

Creating one centralized reporting system for all government incident reporting is the most straightforward way to support transparency, collaboration, and improved security throughout the industry. And as the threat landscape grows, it will become an increasingly critical component for any successful collective national cybersecurity strategy.