Cyberattack Reporting Policies Need to Be ‘Carefully Crafted’: ITI
New global “policy regimes” embracing cybersecurity incident reporting are a “potentially appropriate tool to provide greater visibility” into cyberattacks -- if “carefully crafted,” said the Information Technology Industry Council Monday. It urged policymakers to heed new recommendations “on limiting incident…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
reporting to confirmed or verified incidents.” ITI asked security authorities to craft policies that “allow for at least a 72-hour reporting window after an entity has verified an incident” and to limit incident reporting “to confirmed or verified incidents.” Effective reporting regimes also need to “establish or maintain appropriate liability protections and ensure information provided is exempt from public disclosure,” said ITI. It seeks measures that “ensure confidentiality and appropriate protections around sensitive information shared with or by competent authorities within the government, including against regulatory use.” Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce bipartisan legislation that would require critical infrastructure owners and operators to report “significant” cyberattacks (see 2109230065).