Following a breach or any cyber incident for that matter, it's easy for things to fall through the cracks.

There's so much happening, especially in the first 72 hours, between mitigating the attack itself, trying to follow your incident response plan, stopping data loss, and post-breach recovery, that organizations can often lose track of what information needs to be saved in order to properly report the incident to authorities.

One of the aims of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) - passed in March - was to streamline this process. The act formalized an obligation for owners and operators of critical infrastructure to report a cybersecurity incident to the U.S. government within 72 hours and any ransomware payment within 24 hours.

A new data sheet released by the Cybersecurity and Infrastructure Security Administration (CISA) this month is designed to clarify which organizations should share incidents, exactly what kind of information should be shared and how to do it.

Who should report a breach?

CIRCIA requires critical infrastructure companies – everything from owners and operators in the chemical sector to the financial services sector - to report covered cyber incidents to CISA. Federal and SLTT (State, Local, Territorial, and Tribal Government) Partners should also share cyber incidents.

While CIRCIA may not apply to your organization, the way it prescribes expectations around cyber information sharing could be viewed as incident response best practices for every organization, regardless the industry. They could go also a long way in helping other organizations from falling victim to a similar attack too.

What should be reported?

CISA is urging organizations to share data around cybersecurity incidents, which can take the form of:

• Unauthorized access to your system
• Denial of Service (DOS) attacks that last more than 12 hours
• Malicious code on your systems, including variants if known
• Targeted and repeated scans against services on your systems
• Repeated attempts to gain unauthorized access to your system
• Email or mobile messages associated with phishing attempts or successes
• Ransomware against Critical Infrastructure, include variant and ransom details if known

Similar to how journalism students are often taught about the five Ws: who, what, when, where and why, when there’s been a cyber incident, CISA wants to know as much as possible about what your organization has experienced.

It's asking entities to share 10 elements, the first nine being a priority:

1. Incident date and time

2. Incident location

3. Type of observed activity

4. Detailed narrative of the event

5. Number of people or systems affected

6. Company/Organization name

7. Point of Contact details

8. Severity of event

9. Critical Infrastructure Sector if known

10. Anyone else you informed

How do I report?

Federal or Critical Infrastructure partners should complete one of the agency's incident reporting forms, viewable here. If your organization doesn't have the bandwidth to fill out a full report, it should send an email to [email protected] touching on as much of the above information as possible. From there, the agency will share anonymized information about the activity with other organizations to help them manage their risk and be in touch if it has any further questions.

It’s worth noting that this guidance isn’t universal. The Transportation Security Administration (TSA) for instance has reporting requirements for transportation operators and pipelines that require the reporting of a cyber breach within 12 hours. Banks need to report hacks to regulators like the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of the Comptroller of Currency within 36 hours.

Reporting obligations vary by industry; organizations should do their due diligence ensuring the correct protocol is known.