The Cyber Instant Reporting Act and Cybersecurity Insurance: New Realities for Critical Infrastructure Sectors
3 min read
The Cyber Instant Reporting Act, which was signed into law less than two weeks after it was first proposed, has changed how companies in the United States deal with cybersecurity. Also, the requirements for cybersecurity insurance coverage are getting stricter, which is making companies rethink their security plans.
The act for cyber-instant reporting
Businesses in 16 vital infrastructure sectors, like emergency services, manufacturing, commercial buildings, healthcare, and information technology, are required by law to report cyber attacks within 72 hours. If malware is used, the attack should be reported within 24 hours. The Cybersecurity and Infrastructure Security Agency (CISA), which is part of Homeland Security, makes sure that this duty to report is met.
The speed with which this law was put into effect shows a change in how cyber risks are treated. Homeland Security now has a place where attacks can be reported quickly and easily. Businesses must now be careful to follow this law because not doing so could have serious effects.
From easy coverage to stricter underwriting: how cybersecurity insurance has changed
About three or four years ago, it wasn’t too hard or expensive to get computer insurance. Companies had to show that they had firewalls, backups, anti-virus software, and acceptable use rules.
But after the COVID-19 pandemic started, there was a big rise in computer attacks, so insurance companies started to tighten their rules for underwriting. Now, before a business can get insurance, it has to fill out a long form. Insurance companies want to know exactly what tools a business uses to keep its protection up to date. If you give false answers, you could lose a lot of money if you make a claim, but if you tell the truth, you could be denied coverage or have to pay twice as much.
With these stricter standards for coverage, the business world is taking cybersecurity in a whole new direction. Risk assessment methods are starting to put the details of cybersecurity insurance policies front and center. It’s important for businesses to know what this could mean for their operations.
Sharing the ownership and figuring out the risks
When it comes to handling cybersecurity risk, the data owner, the information technology (IT) team and the information security team often take turns being in charge. In the end, the risk is owned by the person who is responsible for the data and decides how much money will be spent to protect it. The IT team sets up and manages the solutions for protecting data, while the information security team evaluates the business’s security risks and weaknesses.
It’s important to understand each person’s part in the conversation about cybersecurity. But it’s just as important to understand what danger means. In the context of cybersecurity, risk can be thought of as a mix of danger (how likely it is that something will happen) and outrage (how bad the event will be).
In the cybersecurity environment of today, businesses need to figure out both how likely cyber attacks are and how bad they could be. With this view of risk, the focus changes from just putting security tools in place to doing a full risk assessment.
Partner with Novatech
Businesses are being forced to rethink their security plans because of the Cyber Instant Reporting Act and the way cybersecurity insurance is changing. It’s clear that risk assessment needs to be done in a responsible and thorough way now. In this new world, businesses’ cybersecurity resilience will depend on the tools they use, how they evaluate risks, and how they react to these changes.
Contact Novatech today to get a free network assessment!