On March 15, President Joe Biden signed into law the Cyber Incident Reporting For Critical Infrastructure Act of 2022 that will create new rules requiring U.S. critical infrastructure entities (e.g., financial services, energy, defense industrial bases) and federal agencies to report cybersecurity incidents within 72 hours of the incident and within 24 hours if a ransomware payment was made.
This is a departure from the current notification timelines in the U.S. and it largely aligns with requirements set by the General Data Protection Regulation (GDPR). The law also selects the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) as the central information agency related to cyber incidents.
The bill establishes a minimum reporting standard for “covered entities,” which — according to the President Policy Directive 21 — include companies in the communication sector, financial services sector, information technology sector, and 13 other sectors considered critical infrastructure. One sector that is not clearly included or clearly excluded from the list of 16 critical infrastructure sectors is crypto and central bank digital currencies, but given the importance for the national security that President Biden gave to digital assets in his Executive Order issued on March 9, companies in this space may also decide to observe these new reporting requirements.
The covered entities will have to report “covered cyber incidents,” and while the definition of these incidents will be later defined by CISA regulation, companies won’t have to report every single incident — just those of certain impact: “A cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.”
The reporting requirements for ramson payments are, however, a bit stricter. On the one hand, companies will only have 24 hours to report these payments, instead of the 72 hours for cyber incidents. Additionally, this reporting requirement applies to any payments, including in situations that do not trigger the incident reporting requirement.
The legislation includes enforcement mechanisms to ensure compliance with the new reporting requirements. The CISA may issue subpoenas to companies it believes has experienced a cyber incident or made a ramson payment. If a company fails to comply with the subpoena, it may face civil lawsuits to seek enforcement.
Given the sensitivity of the data that companies will need to provide, including commercial, financial and proprietary information, the legislation exempts this information from disclosure obligations under the Freedom Information Act and similar laws requiring disclosure of information.
Additionally, to offer more protection to companies to report these incidents on a voluntary basis, the legislation also foresees that any report submitted to the CISA or “any communication, document, material, or other record, created for the sole purpose of preparing, drafting, or submitting such report[] may be received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding in or before any court, regulatory body, or other authority of the United States, a State, or a political subdivision thereof.”
While this legislation applies only to “covered entities,” its effects will likely be felt across sectors and industries. As the legislation includes breaches suffered by supply chain and cloud providers, this may expand the effects of such breaches downstream, and customers of these suppliers may need to be ready for additional auditing and, in some cases, reviews of their contractual relationships.
Read More: Study: 50% of Financial Firms Unsure About Data Security