Despite being crucial in bolstering cyber awareness, the Cybersecurity and Infrastructure Security Agency's cyber incident reporting draft rule — which would mandate critical infrastructure entities to make cyber incident and ransomware disclosures within a 72- and 24-hour period, respectively — has been regarded by trade groups and lawmakers to increase burdens not only on smaller organizations but also CISA itself, CyberScoop reports.
More extensive requirements under the draft rule should be harmonized with existing reporting regulations, said groups at a hearing of the House Homeland Security's cybersecurity subcommittee. Such a sentiment has gained the support of Rep. Eric Swalwell, D-Calif., who emphasized the need to ensure that the incident reporting rules do not cover non-relevant small and medium-sized businesses.
On the other, Bank Policy Insititute Senior Vice President of Technology and Risk Strategy Heather Hogsett said that significant report volumes would likely overwhelm CISA, while Edison Electric Institute Senior Vice President of Security and Preparedness Scott Aaronson noted that the recent attack against CISA indicates data security issues faced by the agency.