After years of lengthy debates, Congress passed and the President signed into law a bipartisan bill requiring entities in sectors deemed to constitute “critical infrastructure” to report certain cyber incidents and ransomware payments. Currently, companies may and often do voluntarily report cyber incidents to the FBI or other federal agencies, but there is no obligation to do so. This law makes reporting mandatory.
Key Reporting Requirements
The new reporting requirements set out in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 were enacted as part of a larger omnibus appropriations bill. The law will require critical infrastructure entities to report to the Cybersecurity and Infrastructure Security Agency (CISA):
- Covered cyber incidents, within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred; and
- Ransomware payments, within 24 hours after the payment has been made.
Covered entities also will be required to submit updates to initial reports once “substantial new or different information becomes available,” until an incident is fully mitigated and resolved.
The law does not make any changes to the legality of making a ransom payment. Such payments, while not unlawful per se, can be subject to broad-based sanctions compliance regimes.
CISA Rules Will Implement the Law
The new law will not go into effect until CISA promulgates rules implementing it. CISA must issue proposed rules within 24 months of the enactment of the law, and adopt final rules no longer than 18 months of issuing the proposed rules.
CISA’s rules will need to clarify a number of requirements within the law, including:
- The types of covered entities required to report incidents and ransomware payments. The law defines “covered entities” to include companies in any of the critical infrastructure sectors identified in Presidential Policy Directive 21 (PPD-21), such as healthcare, financial services, information technology, transportation, and others. Congress has directed CISA to consider the consequences that “disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety” and the “likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country,” when drafting the rules.
- The types of covered cyber incidents that would trigger reporting, including how companies will be able to determine whether an incident is sufficiently “substantial” to trigger reporting obligations.
Preempting some concerns from industry, the law contains significant confidentiality protections for incident reporting. Specifically, reports describing covered cyber incidents or ransom payments will be deemed proprietary information belonging to the covered entity, and therefore exempt from disclosure under the Freedom of Information Act (FOIA). In addition, providing reports to CISA will not constitute a waiver of any applicable privilege or protection provided by law. The law grants CISA the authority to share the reports with other government entities only for a cybersecurity purpose, for purposes of identifying cyber threats, to prevent a specific threat of serious bodily harm or a specific threat of serious economic harm, to prevent or investigate harm to minors, or to investigate cybercrimes.
In addition, the law prohibits federal, state, and local authorities from using in enforcement actions any information garnered solely through a CISA incident report.
If a covered entity fails to submit a report in compliance with the law, CISA will have the power to follow up with the covered entity directly, including by subpoena if an adequate response is not received. If a covered entity fails to comply with a subpoena, CISA may refer the matter to the Department of Justice for further action.
Given how deeply interconnected the digital ecosystem is, and that disruption to even a small or medium size firm could cause ripple effects throughout an industry or across industries, we expect CISA to aggressively craft the list of covered entities that it views as falling within the critical infrastructure industries defined in PPD-21.
When coupled with the SEC’s own proposed accelerated disclosure rules governing cyber incidents, the slice of companies that do not fall within an existing or proposed federal incident reporting scheme is becoming smaller each day. Against this backdrop, it is not too soon for companies to begin enhancing their incident response plans and policies to account for rapid incident response and escalation, so that legal teams and senior executives are read-in to incidents at an early stage and in time to evaluate and fulfill reporting obligations. While the timeframes under the law are undoubtedly tight and will present challenges, having a clear and thoughtful escalation process already in place means they do not have to be unworkable.