Home Review Congress’ Rapid Disclosure Ruling: Can You Keep Up?

Congress’ Rapid Disclosure Ruling: Can You Keep Up?


Congress’ Rapid Disclosure Ruling: Can You Keep Up?


In March 2022, congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRA). This is a mouthful in more ways than one: for many organizations, it will soon be mandatory to disclose a cybersecurity incident within 72 hours of its discovery.

In many ways, this is a change for good: time is of the essence in a cybersecurity attack. In 2015, FireEye acknowledged that a mandatory reporting period is vital, after a private health insurance firm waited three years to inform its customers of a serious lapse in security.

Companies are well aware of the potential damage to clients and reputation when they disclose a breach – meaning that it can be very tempting to remain silent. This guide will explain database security and help you adapt to the new rapid rule.

Closed Lips Sink Ships

You know how powerful data is for every step of company growth, from marketing to user analytics. With great power comes great responsibility, however. Upon collecting data, it becomes a company’s responsibility to safeguard it.

Uber makes for a good example of the danger of dillydallying. In October 2016, hackers stole personal data from approximately 57 million user accounts. Uber was aware of this, paying the hackers $100,000 to keep the breach silent. Almost a year later, in November 2017, the names, driver’s licenses, mobile phone numbers, and emails of 57 million customers were all found for sale on the dark web.

It took Bloomberg’s report on the situation for Uber to release any further information on the matter. In a press release, CEO Dara Khosrowshahi clarified that two attackers accessed data on a third-party cloud-based system. However, this paltry press release was too little too late: data that is hosted for sale on various illicit marketplaces already represents a serious risk of ricochet.

Once an email is breached, for example, attackers can find a compromised users’ bank and deploy automated scripts to brute-force access. High-level organization emails fetch a higher price: cybercriminals are acutely aware that phishing emails from a CEO or manager are incredibly potent.

Uber was eventually fined $148 million: they also enshrined the legal necessity of a maximum response time.

The second focal point of the new bill is on the public sector, and the mandated reporting of relevant incidents. This follows 2020’s horrific SolarWinds breach, which caused the severe compromise of no less than 9 federal agencies. Even worse, the government only became aware of the issue after it was voluntarily communicated by a private cybersecurity firm.

On the global stage, the US is finally catching up with the rest of the world. Australia has had similar mandates in place since 2016, whilst the UK’s and Europe’s GDPR rules have enforced the 72-hour response since 2018.

“Substantial cyber incident”

The ruling includes that public reports will only be required in response to a “substantial cyber incident.”

This, naturally, begs the question of what counts as a substantial cyber incident. The easiest way to assess this is by looking at the impact on a company’s bottom line. Perhaps by recording the sales loss as a percentage of the company’s overall revenue; or by tracking how many days a company is out of action as the result of an attack.

The SEC – concerned primarily about transparency to shareholders – has also chipped in, demanding companies to consider less black-and-white factors such as their reputation.

The SEC’s involvement includes the 2021 Pearson breach, when the company misled investors about a breach that included millions of student records. It then paid the SEC $1 million to settle charges against it. This breach might not have been financially material; but it certainly casts a shadow on Pearson’s ability to safeguard its data.

The CIRA faces up to two more years of reworks and editing, which means that Congress should soon clarify the exact parameters of a “substantial” breach. It’s important to note that this 2-year period could very well be shortened, however, and the bill passed early, given the current climate of cybersecurity aggression between Russia and the West.

While congress clarify the nitty gritty details, let’s give you some context to this new time limit: the time it takes to identify and contain an attack is currently a bit longer than 72 hours. In 2021, on average, it took 6,888 hours.

How To Keep Up

Let’s face it: reporting on and containing attacks are two very different actions. However, you cannot simply wait for an attack and drop a press release. Without a comprehensive action plan, you risk damaging customer and stakeholder trust even further. So, it’s a delicate balance. To avoid being caught with your pants around your ankles, streamline the major processes prior to an attack.


Firstly, focus on the core element you need to protect: your database server. Start from a foundation of physical security, then build your way up to a zero-trust architecture. No accounts should have access to data that they do not need.


It can seem a daunting task, but the FAIR risk quantification method can be a great help in this process. FAIR stands for Factor Analysis of Information Risk; it’s a cohesive framework for analyzing the probability and financial impacts of various security incidents. This means you can prioritize and allocate the suitable time and budgets for each risk.


FAIR is a handy framework as it prioritizes collaborative communication: everyone understands a hit to the bottom line. In the same manner, embracing open security architecture can drastically reduce the complexity of IT and security environments. This is vital, as IBM found that IT complexity contributes significantly to the cost and time that a data breach consumes.


After establishing a locked-down database, monitoring systems such as File Integrity Monitoring give you real-time insight into the integrity of that data. Know as soon as possible when something suspicious arises.


Finally, ensure that you have a cohesive and widely-understood data breach response process. Everyone in the organization needs to understand what a data breach looks like, and how to report it. All of these steps combined further helps to foster a culture of action, rather than blame. Breaches happen, and it takes a team to defend your database.