US: Congress passes new cyber incident reporting requirement

The Cyber Incident Reporting for Critical Infrastructure Act (the “Act”), unanimously approved by the U.S. Senate on March 10, 2022, is the most significant cyber legislation to make it through the Senate since 2015. * Update - On 15 March 2022, President Biden signed the Act into law.

The Act requires critical infrastructure entities (e.g., financial services, energy, defense industrial base) and federal agencies to report significant cyber incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of the incident and within 24 hours if a ransomware payment was made.

For most industries the 72-hour notice period is a significant departure from current and historic notification timelines in the U.S. and largely aligns with notification requirements set by the GDPR. The Act also solidifies CISA as the central information agency related to cyber incidents.  

Key Takeaways:
  • Who does this apply to? The Act defines “covered entities” as entities in the critical infrastructure sector, as defined in President Policy Directive 21, leaving companies in other sectors unaffected by the Act.
  • What is covered? The Act fills in the gap left by current reporting requirements, which relate to disclosure of privacy events. The Act applies to “covered cyber incidents,” and all ransomware payments.
  • What must be reported? Reports to CISA will require details about the attack and timelines relating to the incident or the ransom paid.
  • Does this expose the covered entities to liability? The Act seeks to protect covered entities by exempting any reports from FOIA, ensuring that a report does not constitute a waiver of privilege, and provides protection from liability for filing a report.

While this bill establishes minimum reporting standards for “covered entities”, further guidance is to be established by CISA. Therefore, once the Act is implemented, careful monitoring of CISA’s developments regarding the Act remains crucial for critical infrastructure entities across multiple industries to ensure compliance with reporting mandates.

What is a covered entity?

The Act relates to entities in the Presidential Policy Directive 21, as further defined by CISA and is based on:

  • the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety”; and
  • the extent to which damage, disruption, or unauthorized access to such an entity . . . will likely enable the disruption of the reliable operation of critical infrastructure.
What is a covered cyber incident?

The definition of a “covered cyber incident” shall be later defined by CISA regulations, but at a minimum shall be defined as any occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually jeopardizes, without lawful authority, an information system, and must include, at a minimum:

  • a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”;
  • a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”; and
  • unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.
What must be included in a report?

Reports of cyber incidents to CISA shall include, where available:

  • Covered Cyber Incident: a description of the covered cyber incident.
  • Vulnerabilities: a description of the tactics, techniques and procedures used to exploit vulnerabilities and the vulnerabilities exploited.
  • Actor Identity: any information that could assist in identifying the malicious actor.
  • Reporting Entity: the impacted, reporting entity’s contact information.

If a ransomware payment was made, reports to CISA shall also include, where available:

  • Date: the date of the ransom payment.
  • Demand and Instructions: the ransom payment demand and payment instructions, including the type of currency requested.
  • Amount: the amount of the ransom payment.

Among the timely reporting requirements mentioned above, the Act calls for a “covered entity” to update prior submissions or reports if additional information becomes available or if a ransom payment is made at a later time. The Act also requires reporting entity to preserve relevant information and data about the “covered cyber incident” or ransom payment.

CISA’s expanded role in cyber incident prevention and response

Even prior to the Act, due to the striking uptick in cyber incidents, CISA has provided guidance and recommendations for proper responses to ransomware attacks with tips to detect potential intrusions, and general best practices for cyber protection. The Act expands upon CISA’s role, establishing it as the central agency for cyber reporting with new programs and requirements regarding ransomware and cyber incident data:

  • Ransomware Vulnerability Warning Pilot Program: The Act tasks CISA with establishing a Ransomware Vulnerability Warning Pilot Program responsible for recognizing systems containing ransomware attack security vulnerabilities. This program also allows CISA to contact and notify owners of vulnerable systems of their respective cybersecurity-related vulnerabilities.
  • Cyber Incident Review Center: The Act establishes the Cyber Incident Review Center within CISA. The Center coordinates information sharing regarding ongoing cybersecurity threats, attacks, and trends among government agencies and the private sector. The Center is also tasked with publishing public reports quarterly and analyzing ransomware attacks in coordination with law enforcement operations focused on virtual currencies.
  • Joint Ransomware Task Force: The Act also tasks CISA with creating a Joint Ransomware Task Force that tackles ransomware attacks in consultation with foreign partners, federal agencies, and private sector players. Task Force responsibilities include: (i) compiling a list of highest threat ransomware entities to be updated on a continuous basis; (ii) coordinating collaboration among federal and private sector entities to improve federal efforts to disrupt ransomware threats; (iii) intercepting and disrupting ransomware actors, their infrastructure, and their financial resources; and (iv) composing post-incident reports that identify successes and failures of federal activities against ransomware threats.
CISA “requests for Information” and protection of reports

The Act also authorizes CISA to issue requests for information and subpoenas to entities deemed non-compliant with reporting obligations. Requests for information may be sent to entities that CISA deems as maintaining an obligation to submit a notification. Failure to respond within 72 hours triggers CISA’s ability to issue subpoenas to entities and could lead to enforcement actions and a referral to the Department of Justice.

Reports provided to CISA under the Act will remain the commercial property of the covered entity. Moreover, the reports will be exempt from FOIA requests served on CISA and reports will not constitute a privilege waiver. Additionally, the Act protects covered entities from liabilities from filing a report with CISA.

Conclusion

The Act encourages organizations to be well-equipped to respond to cybersecurity and ransomware threats. This legislation also enables organizations to scrutinize their existing cyber defenses and solidify their existing cyber incident response plans.

The Act’s inclusion of breaches suffered by supply chain and cloud providers is greatly significant and largely expands on the coverage of such breaches. This will have a downstream effect and will likely create contract implications. In turn, this may require customers of suppliers to engage in a level of auditing not seen before. Companies should begin consideration of larger investment into their cyber infrastructure in order to ensure compliance with the guidance set forth in the Act. This legislation is a significant step in the collective cybersecurity of the U.S.