WASHINGTON – Today, global tech trade association ITI published Global Policy Principles for Security Incident Reporting to help policymakers worldwide as they seek to develop an effective and efficient security incident notification regime that will appropriately leverage limited resources while also providing relevant insight.

In the wake of increasingly severe cyber incidents policymakers around the world have turned to incident reporting policy regimes as a potentially appropriate tool to provide greater visibility into cybersecurity attacks. ITI’s Global Policy Principles for Security Incident Reporting build on ITI’s Policy Principles for Security Incident Reporting in the U.S. and include new recommendations on limiting incident reporting to confirmed or verified incidents and new guidance to help differentiate additional concepts that are often conflated with security incident reporting, such as coordinated vulnerability disclosure. 

“The cyber threat landscape is constantly evolving, resulting in the emergence of new threats,” said Courtney Lang, ITI’s Senior Director of Policy. “Across the globe, cyber incident reporting can play an important role in informing actions to respond to incidents and to contain or prevent further impacts. If carefully crafted, incident reporting can be a helpful policy lever. It is through this lens that we offer ITI's recommendations on several key areas that global policymakers should consider in order to develop a meaningful regime.”

Among its recommendations, ITI suggests policymakers:

  • Allow for at least a 72-hour reporting window after an entity has verified an incident;

  • Develop and adopt an incident categorization model;

  • Limit incident reporting to confirmed or verified incidents;

  • Establish or maintain appropriate liability protections and ensure information provided is exempt from public disclosure; and

  • Ensure confidentiality and appropriate protections around sensitive information shared with or by competent authorities within the government, including against regulatory use.

Read the recommendations here.