WASHINGTON – Today, global tech trade association ITI published Principles for Security Incident Reporting in the U.S., first-of-their-kind recommendations designed to help inform U.S. policymakers as they seek to develop a security incident notification regime.
In the wake of increasingly severe cyber incidents, such as SolarWinds, policymakers have turned to incident reporting policy regimes as a potentially appropriate tool to provide greater visibility into cybersecurity attacks and vulnerabilities. ITI’s recommendations are intended to help policymakers construct an effective and efficient incident reporting regime that will appropriately leverage limited resources while also providing relevant insight.
“The SolarWinds compromise has demonstrated how the cyber threat landscape is constantly evolving, resulting in the emergence of new threats,” said Courtney Lang, ITI’s Senior Director of Policy. “ITI recognizes that cybersecurity incident reporting can play an important role in informing actions to respond to incidents and to contain or prevent further impacts. If carefully crafted, incident reporting has the potential to be a helpful policy lever. It is through this lens that we offer our recommendations on several key areas that policymakers should consider in order to develop a meaningful security incident reporting regime.”
Among its recommendations, ITI suggests policymakers:
- Develop and adopt an incident categorization matrix to help prioritize and inform incident reporting and response requirements;
- Allow for at least a 72-hour reporting window after an entity has verified an incident;
- Limit responsibility for reporting only to the compromised entity;
- Designate a single point of contact within the government for companies to report security incidents to; and
- Establish targeted liability protections and appropriate exemptions from FOIA.
Read the recommendations here.