On March 15, 2022, President Biden enacted, through an omnibus spending package, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Act”). The Act establishes two cyber incident reporting requirements for “covered” critical infrastructure entities: (1) a 24-hour requirement to report ransomware payments to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and (2) a 72-hour requirement to report all covered cyber incidents to CISA. The reporting requirements will take effect once CISA issues the necessary implementing regulations. Most companies will need to build or improve their incident reporting and crisis response plans to comply with these tight requirements—such incident response plans are highly advisable in general, and now more so ahead of the pending regulatory requirements.
Will the Act Apply to My Business?
The Act applies to “covered entities” in the sixteen United States critical infrastructure sectors identified by CISA. These include, for example, certain companies operating in the energy, financial services, and health care sectors. It also includes contractors working in the Defense Industrial Base. CISA is likely to further refine the poorly defined concept of “covered entity” in the Act once it takes up the necessary rulemaking for the implementing regulations.
What Are the Ransomware Payment Reporting Requirements?
The Act requires covered entities that make payments as “the result of a ransomware attack” to report to CISA within 24 hours. Reports must contain specific information about the ransomware attack and the threat actors reasonably believed to be responsible. The report must, at a minimum, include a description of the attack; a description of the vulnerabilities, tactics, techniques, and procedures, or “TTPs,” used to perpetuate the attack; any identifying or contact information related to each actor reasonably believed to be responsible for the attack; the date and amount of the ransom payment; and the ransom payment demand and instructions. Currently, many incident response companies are reporting these details to law enforcement; whether such dual tracking reports will be necessary after the CISA reporting becomes mandatory will need to be evaluated.
What Are the Cyber Incident Reporting Requirements?
The Act also requires covered entities to report any “covered cyber incident” to CISA within 72 hours and to “promptly” submit supplemental reports providing updated or additional information about the incident, including whether ransom payments are made after the submission of an initial report, until the incident has fully resolved. Forthcoming CISA regulations will also require covered entities to preserve these reports for a certain period of time. This is similar to the current incident reporting requirements imposed on defense contractors through the Defense Federal Acquisition Regulations Supplement, or DFARS. “Covered cyber incidents,” as the Act defines, include “substantial” cyber incidents that involve a substantial loss of confidentiality, integrity, or availability of information systems or networks, or a serious impact on the safety and resiliency of operational systems and processes; a disruption of business or industrial operations, whether on an information system or network or an operational technology system or process; or unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a third-party provider or by a supply chain compromise. Notably, the Act does not require reporting for an “occurrence that imminently, but not actually, jeopardizes” an information system or the information it houses.
What Should My Company Do?
Companies that believe they may be covered by the Act should examine their cybersecurity and incident reporting policies and procedures. Responding to a cybersecurity incident can be challenging and time-intensive. To meet these quick reporting deadlines, it is highly encouraged that companies implement incident response plans and practice executing them. A few recommended steps include designating response personnel, creating notification templates, and conducting training exercises to gauge incident responsiveness.