New Cyber Incident Reporting Coming for Critical Infrastructure: Five Key Takeaways

On March 15, 2022, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”) into law, requiring critical infrastructure entities to report covered cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and report ransom payments to CISA within 24 hours of payment. The Act, which was incorporated into the 2022 Consolidated Appropriations Act and does not take immediate effect, requires CISA to undertake rulemaking to define key elements, including what types of entities constitute critical infrastructure, how a cybersecurity incident is defined, and what should be included in reports to CISA.

While the Act has many of the same themes as previously proposed cybersecurity reporting laws, it does not create substantive cybersecurity obligations outside of incident reporting, and does not provide CISA with the rulemaking authority to adopt and enforce such cybersecurity obligations. Instead, the Act further centralizes CISA as the primary hub within the federal government for information sharing and allows CISA to refer cases to the Department of Justice and other federal agencies for enforcement and prosecution of other federal laws or regulations.

In this Debevoise Data Blog post, we outline key provisions of the Act’s new reporting requirements, and what companies should consider now in order to ensure future compliance in the event of a notifiable cybersecurity incident or ransomware attack where a ransom might be paid. While much of the Act’s scope and implementation will be influenced by forthcoming rulemaking from CISA, it does lay out a general reporting and enforcement framework:

1. Covered Critical Infrastructure Entities Will Be “Clearly” Defined. The Act limits the scope of covered entities to those within the 16 designated critical infrastructure sectors laid out in the 2013 Presidential Policy Directive 21, including broad categories such as “communications” and “financial services.” CISA’s final rule must contain a “clear description” of the types of entities that constitute covered entities, based on the likely disruptive impact of an incident to national or economic security or public health and safety, the likelihood the entity may be targeted by a malicious cyber actor, and the extent to which an incident would disrupt critical infrastructure operations.
2. Covered Cyber Incidents Are “Substantial” Yet Likely Broad. Covered entities will be required to submit incident reports to CISA for any “substantial cyber incident,” as will be defined in CISA’s forthcoming final rule. CISA must consider a floor set by the Act that the incident, at a minimum, (i) leads to substantial loss of confidentiality, integrity, or availability of an information system or network, or a serious impact on the safety and resiliency of operational systems and processes; (ii) causes a business or industrial disruption; or (iii) involves either unauthorized access or a business or industrial disruption due to loss of service facilitated through or caused by a compromise of certain third-party cloud or data hosting providers or through a supply chain compromise. In deciding what will trigger notification, CISA must also consider the sophistication or novelty of the attack, volume, and sensitivity of the data at issue, the potential or actual number of individuals directly or indirectly affected, and the potential impacts on industrial control systems.
3. Entities Have Time Sensitive and Ongoing Reporting Obligations. As noted, the Act requires notice of a covered cybersecurity incident within 72 hours of when the entity “reasonably believes” the incident has occurred, in a format that describes, among other details, the nature of the attack and affected systems, impact to operations or data, and any available information about the threat actor(s), tactics, or vulnerabilities. The entity must then provide “prompt” updates to CISA upon learning “substantial new or different information” until the entity tells CISA the incident has concluded “and has been fully mitigated and resolved.” If an entity is paying a ransom in connection with a ransomware incident, it must submit a report to CISA within 24 hours after payment is made and describe, in addition to similar details required in an incident report, the ransom payment, demand, and payment instructions. If an entity believes it has reporting obligations under both provisions, it is permitted to file a single consolidated report, but it should be mindful of the timing requirements for each.
4. Entities Must Preserve Relevant Evidence. In addition to filing reports, covered entities will have to preserve all evidence relevant to any initial or supplemental incident report and any ransom payment report. CISA’s final rule is expected to detail the types of data required to be preserved, the period(s) of time for which the data must be preserved, and the allowable uses, processes, and procedures related to the data.
5. CISA Has its Own Reporting Obligations. In addition to regular reporting on the cybersecurity threat landscape and observations, the Act also requires CISA to promptly review and disseminate information in entity reports it receives. In the case of an “ongoing cyber threat or security vulnerability,” CISA must “immediately” review the report for threat indicators that can be anonymized and disseminated to relevant stakeholders, likely including other potential victim entities. CISA must review all incident and ransom reports within 24 hours of receipt and make the information available to certain federal agencies. These obligations may influence CISA’s definition of a covered incident, as it must balance its ability to effectively review and disseminate pertinent information against the risk it is flooded with proportionately minor incident reports.
6. Expanding Federal Cybersecurity Enforcement. In the event of suspected non-compliance by a covered entity, CISA can send a request for information to the entity. If the entity does not respond within 72 hours, CISA may issue a subpoena for information it deems necessary. CISA may then refer the case to the Attorney General or the head of the appropriate federal regulatory agency for use in a regulatory enforcement action or criminal prosecution if CISA believes there is a violation of federal laws or regulations.

While the Act provides for a lengthy period of time for rulemaking—up to 24 months to publish a notice of proposed rulemaking, and a further 18 months to issue a final rule—given CISA’s encouragement that entities already begin to report “any indications of malicious cyber activity,” we could expect to see CISA begin the rulemaking process well ahead of 24 months. With this timing in mind, companies should begin to consider the following to ensure preparedness when the reporting requirement takes effect:

1. 1. Ensure a Process Is in Place to Escalate Cyber Incidents Internally and Disclose Timely to CISA. With the enactment of formal reporting requirements, CISA’s recommendations regarding internal incident escalations will likely no longer be voluntary for covered critical infrastructure entities, which should be prepared to quickly assess whether they are experiencing or have experienced a covered incident. Critical infrastructure entities should consider updating playbooks to account for these escalations and decision points, and identify who will make the notification to CISA. Consider scenarios in which CISA may reach out directly about an incident it learns of, publicly or otherwise, that the company has not yet reported.
   2. Reporting and Communications Strategy Should Account for Reporting Timeline. As we discussed last fall, the imposition of 24–72 hour notification obligations to CISA warrants preparing for accelerated communication timelines in the event of an incident. This is especially true for entities that are not already subject to a narrow mandatory reporting window, such as those of Regulation SCI, NYDFS Part 500, the GDPR, Security Directive 1, or the soon to take effect 36-hour rule for banking organizations. An obligation to notify CISA within 72 hours of a cybersecurity incident and 24 hours of a ransom payment may necessitate earlier notifications to other agencies and regulators. In addition, the need to make both an incident and a ransom report—not necessarily in tandem—warrants further coordination to ensure consistency and timeliness with other notifications.
   3. Further, entities should be aware that where CISA has an information-sharing agreement and mechanism in place with another federal agency, the entity will not be required to notify both CISA and the federal entity. Companies should assess what impact such notifications to CISA might have on their broader identification, escalation, reporting, and communication plans.
      3. Update Incident Response Plans to Account for Ongoing Reporting and Evidence Preservation. In addition to preparing your organization to make an initial report to CISA, covered entities should also consider updating incident response plans and playbooks to account for providing updates to CISA upon learning of “substantial new or different information” until the incident “has been fully mitigated and resolved” and to preserve all evidence relevant to initial or supplemental incident reports and ransom payment reports.
      4. Prepare for Scrutiny in the Event of Ransom Payments. With the current heightened government focus on ransomware groups and possible evasion of Russian sanctions through virtual currency, all entities—regardless of critical infrastructure designation—should be prepared for scrutiny in the event of a decision to pay a ransom. For covered entities, coupling the current sanctions environment with the mandatory reporting requirement and information-sharing provisions will serve to increase the risk of such scrutiny, increasing the importance of robust due diligence when considering a payment. In line with our previous recommendations, ensuring that your organization is aligned with CISA’s best practices in its Ransomware Guide from September 2020 and more recent guidance for executives may prove helpful to companies looking to bolster cybersecurity defenses, set stakeholder expectations, and mitigate regulatory scrutiny.
      5. Prepare for Increased Enforcement by Federal Regulators. In light of CISA’s authority to refer cases to the Department of Justice and other federal agencies, we may see an increase in cybersecurity-related investigations brought by the SEC, FTC, and DOJ Civil Fraud, which have each expressed a particular interest in cybersecurity enforcement in recent months. Notably, the Act does not permit CISA to make enforcement or prosecution referrals to state attorneys general or other state regulators, and prohibits those regulators from solely using the reports received through CISA for enforcement in an action. The Act does not, however, alter notification requirements to those state regulators or prevent them from separately reaching out.

******

We will closely follow developments in this area, including the Act’s regulatory implementation, and provide any updates at the Debevoise Data Blog.

To subscribe to our Data Blog, please click here.