{"id":4414,"date":"2024-07-11T09:00:00","date_gmt":"2024-07-11T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/centralized-cyber-incident-reporting-can-improve-effectiveness"},"modified":"2024-07-11T09:00:00","modified_gmt":"2024-07-11T14:00:00","slug":"centralized-cyber-incident-reporting-can-improve-effectiveness","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/11\/centralized-cyber-incident-reporting-can-improve-effectiveness\/","title":{"rendered":"Centralized Cyber-Incident Reporting Can Improve Effectiveness"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

UnitedHealth CEO Andrew Witty addressed separate hearings in the Senate and House on May 1 to <\/span>testify about the devastating Change Healthcare cyberattack<\/a><\/span> in February that affected millions of Americans and incurred <\/span>nearly $1 billion<\/a><\/span> in costs. <\/span><\/p>\n

While promising to fix glaring security flaws \u2014 such as the <\/span>lack of multifactor authentication<\/a><\/span> (MFA) on the Change Healthcare portal \u2014 Witty also said UnitedHealth supports “standardized and nationalized cybersecurity event reporting” as part of efforts to strengthen the country’s national cybersecurity infrastructure.<\/span><\/p>\n

Considering that cyber-incident reporting regulations abound worldwide, frequently even overlapping, this part of his testimony drew no real pushback. The big question, however, is: How realistic is this? <\/span><\/p>\n

Companies and other organizations face an ever-expanding set of regulatory and reporting standards, depending on their operations and the data they handle, from the <\/span>Cyber Incident Reporting for Critical Infrastructure Act<\/a><\/span> (CIRCIA) and the EU <\/span>General Data Protection Regulation<\/a><\/span> (GDPR) to <\/span>Security and Exchange Commission<\/a><\/span> rules to the <\/span>Health Insurance Portability and Accountability Act<\/a><\/span> (HIPPA) and many others. In all, there more than 200 regulations that could apply, many of them with increasingly shorter reporting deadlines \u2014 and some of them with teeth in the form of fines, penalties, <\/span>and even prosecutions<\/a><\/span>. <\/span><\/p>\n

When a company has a cybersecurity incident, it would be very beneficial to have one central place to report, rather than reporting to a host of applicable regulatory bodies. In its <\/span>September 2023 report<\/a><\/span>, “Harmonization of Cyber Incident Reporting to the Federal Government,” the Department of Homeland Security (DHS) recommended the creation of a single portal to “streamline the receipt and sharing” of information. That central reporting location could then provide the necessary information to other regulators.<\/span><\/p>\n

The best prospect for such a seamless reporting system lies in something that’s been in existence for eight years: the <\/span>National Cyber Incident Response Plan<\/a><\/span> (NCIRP).<\/span><\/p>\n

The NCIRP Could Centralize Cyber Reporting<\/h2>\n

The NCIRP, now mandated by the Biden administration’s <\/span>National Cybersecurity Strategy<\/a><\/span>, is currently being updated to better address evolving threats, as well as to promote cooperation among the private sector, regulators, federal agencies, interagency partners, and state, local, tribal, and territorial (SLTT) governments, as well as other entities. The Cybersecurity and Infrastructure Security Agency (CISA) plans to release the update before the end of the year.<\/span><\/p>\n

The NCIRP will follow four principles:<\/span><\/p>\n

\n