The Senate Homeland Security and Governmental Affairs Committee released a 51-page report on ransomware attacks and payments, along with a recommendation for the Cybersecurity and Infrastructure Security Agency (CISA) to employ regulatory powers granted to the agency in order to require reporting of ransomware attacks and payments. CISA has issued estimates indicating that only 25% of ransomware attacks and payments in the U.S. are reported to regulatory agencies.
Currently, only critical infrastructure attacks in the United States are required to be reported by CISA. Incidents must be reported within 72 hours, and ransomware payments within 24 hours. However, CISA has been granted considerable authority in the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, signed into law as part of the Consolidated Appropriations Act of 2022, which mandates incident reporting of substantial cyber-attacks and ransomware payments against critical infrastructure. The law has given CISA two years to give notice of additional rule proposals on reporting and another 18 months to issue the final regulations.
Organizations should be aware that third-party services and corporate partners that are not under strict regulatory requirements may often engage in exceedingly late notification practices measured in months, quarters, or years. Such entities may choose to forego any form of breach notification. Improved notification practices would enable greater safety for all organizations and can often contribute to shared threat intelligence that can halt malware campaigns quickly. In the current threat and regulatory environment, trusted vendors of supply chain components or supporting services can be compromised, leading to further Business Email Compromise (BEC) that can result in direct loss or disruption, or the sale of access to financially and nationally motivated APT. This can lead to data extortion, ransomware, espionage, or industrial disruption.