On March 15, 2022, President Joe Biden signed the Strengthening American Cybersecurity Act (SACA) into law. The bill, which passed the U.S. Senate unanimously, establishes new security reporting requirements for critical infrastructure entities.
The big question with any new law is, "How does it affect me and my business?” So let’s break down the major components of the bill.
The Why
Prior versions of the SACA and related cybersecurity measures failed to gain enough supporting votes to pass into law. A significant factor that caused the bill’s passage was the invasion of Ukraine by Russia in February 2022. The attack presented an increased threat to U.S. national security, leading to support for more stringent cybersecurity measures. Being able to spot a cyberattack is a critical objective, for both the public and private sectors.
New timeline for cyber incidents
The most considerable change is altering the requirements for notification of a cyber incident or ransomware payment. Now, entities classified as critical infrastructure must notify the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering a significant cyber incident and within 24 hours of a ransomware payment.
What’s considered critical infrastructure?
CISA defines “critical infrastructure” as those companies and government branches working in financial services, commercial facilities, information technology, healthcare, transportation, dams, chemical manufacturing, the defense industrial base, the energy sector, and more. It's important for businesses to consider if they qualify as critical infrastructure and if they need to hire a cybersecurity expert to brush up their security measures.
What it all means
The bill dramatically strengthens the expectations and enforcement around cybersecurity. Those who fail to update the new reporting requirements face a subpoena from CISA for failing to report. The subpoena means that CISA can request cybersecurity information on up to 20 devices to check for regulatory compliance. Granting CISA the power to subpoena has attracted criticism from watchdog groups, who worry this new power has potential for abuse.
Potential Impacts
Most cyber-attacks take a while to uncover. IBM’s 2020 Data Security Report found that it can take companies 280 days to discover a cyber-attack. 280 days is a significant difference compared to 72 hours, which means many companies may face issues complying with the law. Now is a great time to internally assess your cybersecurity measures and see what areas your business could use a security boost.
The law’s emphasis on the speed of reporting sets an essential standard for monitoring cybersecurity. The expectation is for companies to monitor and report cyber-attacks and data breaches constantly. Hackers can do a lot of damage if your business takes 280 days to uncover a data breach.
What you can do
The easiest first step is to make sure that your business has a cybersecurity plan in place and can detect cyberattacks. Does your IT Department mandate two-factor authentication for accessing systems? What's the plan of action and alert system to detect a cyberattack? If you don't have an answer to this question, your business is overdue for a cybersecurity makeover. For easy ways to improve your cybersecurity, read our blog with the top 5 business tips. If you are looking for more help, In Time Tec is happy to assist with cybersecurity.