The United States Department of Homeland Security (hereafter "DHS") has released helpful guidelines and points of contact for reporting cyber incidents to the Federal Government. Expanding on a discussion initially started in the United States Department of Justice ("DOJ") "Best Practices for Victim Response and Reporting Cyber Incidents," about notifying DHS in the event of a cyber incident, this new fact sheet provides the critically necessary what, where, when, and how for a private sector entity.
According to DHS, because cyber incidents resulting in significant damage are of a particular concern, victims are encouraged to report all such incidents that may: (1) result in a significant loss of data, system availability, or control of systems; (2) impact a large number of victims; (3) indicate unauthorized access to, or malicious software present on, critical information technology systems; (4) affect critical infrastructure or core government functions; or (5) impact national security, economic security, or public health and safety.
As DOJ similarly recommended, if a private sector entity suspects a cyber incident has occurred, it should report such an incident to DHS, even when complete information may not be available. Helpful information to report includes who you are, who experienced the incident, what sort of incident occurred, how and when the incident was initially detected, what response actions have already been taken, and who has been notified. Private sector entities should carefully craft their cyber incident response plans to ensure this information is preserved.
Of critical importance is how to report a cyber incident. DHS encourages private sector entities "to report a cyber incident to the local field offices of federal law enforcement agencies, their sector specific agency," and/or the agencies listed on the second page of the fact sheet. The federal agency receiving the initial report will coordinate with other relevant agencies in responding. If the affected entity must report such an incident, that entity should also comply with that obligation in addition to voluntarily reporting it.
Upon receiving a report of a cyber incident, the Federal Government will focus on two distinct, but equally important, activities: (1) threat response (attributing, pursuing, and disrupting malicious cyber actors and malicious cyber activity by conducting criminal investigations and taking other actions to counter the malicious cyber activity); and (2) asset response (strengthening, recovering and restoring services, identifying other entities at risk, and assessing potential risk to the broad community).
Regardless of the type of incident or its corresponding response, the key to counter-acting any cyber incident is, and has always been, preparedness and response time. The more prepared a business or enterprise is, the more streamlined the reaction and response will be to a cyber incident, and the more likely that entity will be to notify the Federal Government swiftly. Of course, the fact sheet released by DHS does not encompass everything a business or enterprise must do in the event of a cyber incident, but it is useful.
Now is the time to review your cyber incident response plan to determine if your business or enterprise is truly prepared and best able to handle a cyber incident of any degree. As DOJ has routinely reiterated, the best time to plan a cyber incident response is before an incident occurs, not during or after. In these uncertain times when cyber incidents occur (and often), if you are unsure whether your cyber incident response plan is sufficient or do not have a plan at all, it is imperative you have a trained and knowledgeable attorney help.
