The Cyber Incident Reporting for Critical Infrastructure Act of 2022

Michael Bahar, Chris Bloomfield, Sarah Paul, Alexander Sand
Eversheds Sutherland (US) LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Eversheds Sutherland (US) LLP

Summary

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), passed as part of the omnibus spending bill on March 15, 2022, will require critical infrastructure companies— which could include financial services companies, energy companies and other key businesses for which a disruption would impact economic security or public health and safety— to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively. Significantly, the new reporting requirements may apply even if the cybersecurity incident does not involve the unauthorized access or acquisition of personal information.

There is time, however, before these reporting requirements come into effect, and more details will follow on what incidents trigger reporting. The Act establishes minimum thresholds and definitions but charges the Director of the Cybersecurity and Infrastructure Security Agency (CISA) to explicitly define what constitutes a covered entity and a covered incident when determining which entities must comply with the rule, and when. CISA will have 24 months after the passage of the bill to create a proposed rule, and another 18 months after the publication of the proposed rule to create a final rule, meaning that the law could take up to 36 months to go into effect. However, with geopolitical instability only increasing, CISA may choose to accelerate its efforts.

That said, companies within the critical infrastructure sector should consider taking steps to review their response plans to ensure that legal and compliance professionals are brought in early, particularly since events that do not implicate personal information may now require regulatory notifications.

Applicability

CIRCIA establishes reporting requirements for entities that 1) have experienced a “covered cyber incident” and 2) meet the definition of a “covered entity”. “Covered entity” is not yet fully defined, but will likely include those that belong to any of the 16 critical infrastructure sectors defined by DHS.

          Covered entities

“Covered entity” means an entity in a Designated Critical Infrastructure Sector defined in Presidential Policy Directive 21, which satisfies the final rule issued by the Director of CISA (Director). The Director’s final rule must include a “clear description of the types of entities that constitute covered entities,” based on:

  • The likelihood that entity will be targeted by a malicious actor 1
  • The impact that a disruption at that entity would cause to national and/or economic security, or to public health and safety; and
  • The extent to which damage to that entity, via a cyber incident, could cause its operation to be disrupted.2 

          Cyber incidents

The definition of a “covered cyber incident” extends beyond the unauthorized access or acquisition of personal information and the Director of CISA is left to determine the precise contours. At a minimum, a notifiable incident must include at least one of the following:

(i) Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.

(ii) Disruption of business or industrial operations due to a denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against—

(I) an information system or network; or

(II) an operational technology system or process.

(iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.

​The minimum threshold above would likely not cover mere attempts at subverting an entity’s security; probing, scanning, or unsuccessful phishing attempts would likely not require disclosure. Similarly, denial of service or ransomware attacks that are not significant enough to “disrupt business or industrial operations” would also not require notification. 

The language referring to unauthorized access leading to the “loss of confidentiality, integrity or availability” of a system is broad, but mere unauthorized access to an information or system would not trigger a report.

Timing

The Act requires that entities report covered cyber incidents within 72 hours after the entity “reasonably believes” that a covered cyber incident has occurred. The 24 hour clock for a ransomware event is triggered by the payment of the ransom, not the timing of the attack itself. In cases where a ransomware attack itself qualifies as a covered cyber incident but the entity does not pay the ransom, the entity will need to disclose within the 72 hour period.

As the Act requires entities to report incidents before completing a full investigation, and then issue follow-up reports, businesses may want to consider further integrating legal and compliance into their security functions.  It is likely that this law, and other recent federal government measures requiring certain organizations to report cyber incidents, will necessitate that organizations’ legal counsel and information security personnel work more closely together. (See our Legal Alerts on two recently proposed SEC rules that would require certain organizations to report cyber incidents to the federal government: SEC proposes mandatory cybersecurity disclosures and SEC proposes cybersecurity risk management rules for investment advisers, funds and business development companies).

Continued reporting

Under the new law, entities must preserve data relevant to the incident and report substantial new or different information as it becomes available, until the entity notifies CISA that the incident has been fully resolved. The report must be detailed and include:

  • A description of the affected systems
  • A description of the unauthorized access
  • The time range during which the entity was affected
  • The impact the entity experienced because of the incident
  • The tactics and vulnerabilities used by the perpetrator and the defenses the entity had in place
  • Identifying information related to the perpetrator
  • Identification of the categories of information accessed
  • The name of the entity and its contact information
  • In the case of a ransomware event, the ransom instructions, the type of payment requested, and the amount and date of the payment

Liability protection

The Act includes liability protection for entities that report an incident to CISA, but it is limited.  
The Law states that: “No cause of action shall lie or be maintained in any court by any person or entity and any such action shall be promptly dismissed for the submission of a report… that is submitted in conformance with this subtitle…” The report, as well as any “communication, document, material, or other record, created for the sole purpose of preparing drafting, or submitting” the report cannot also be introduced into evidence.

But, the Act limits liability protection to “litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to the Agency.” (Emphasis added)

Confidentiality

The reports are kept confidential and do not constitute a waiver of any legal rights or privilege as to any information they contain. They are exempt from FOIA requests and any other federal, state or local freedom of information laws that could compel their disclosure.3 

Exceptions to reporting requirement

The Act provides an exception for entities that are already required by law, regulation, or contract to report substantially similar information to another federal agency within a similar timeframe, as long as there is an agreement in place between CISA and the other agency.4  State breach reporting obligations and reports to European privacy regulators will likely not trigger the exception, and organizations filing such reports likely will still need to report to CISA.

Conclusion

The Act evidences the federal government’s increasing focus on improving cybersecurity in the US, and the role it wants to have in that process. This is landmark legislation in that it is the first law to require a broadly applicable federal breach notification obligation, territory that has previously been the domain of states and sector specific regulators. It also provides significant additional funding for CISA, further cementing CISA as the lead agency for monitoring and responding to cybersecurity threats to US critical infrastructure. It will be important to monitor the Act as it is refined during the rulemaking process.

_____

1“the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country”

2The Act specifically mentions damage that could occur as a result of the actor’s access to vulnerability information or penetration testing tools. The government may be messaging cybersecurity firms to take special care to safeguard these tools and techniques that they provide as part of legitimate cybersecurity services but that could be used maliciously in the wrong hands. In 2020, one cybersecurity firm was breached by the Russian government and its penetration testing tools were captured, raising the concern that an adversary could 1) access powerful new hacking tools and 2) disguise itself to look like a penetration testing team to network defenders.

3Reports describing covered cyber incidents or ransom payments submitted to the Agency by entities in accordance with section 2242, as well as voluntarily-submitted cyber incident reports submitted to the Agency pursuant to section 2243, shall—
(1) be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity; 

(2) be exempt from disclosure under section 552(b)(3) of title 5, United States Code (commonly known as the ‘Freedom of Information Act’), as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records; 

(3) be considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and 

(4)not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision making official.
4Subject to the limitation described in clause (ii), where the Agency has an agreement in place that satisfies the requirements of section 104(a) of the Cyber Incident Reporting for Crit1ical Infrastructure Act of 2022, the requirements under paragraphs (1), (2), and (3) shall not apply to a covered entity required by law, regulation, or contract to report substantially similar information to another Federal agency within a substantially similar timeframe.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Eversheds Sutherland (US) LLP | Attorney Advertising

Written by:

Eversheds Sutherland (US) LLP
Eversheds Sutherland (US) LLP
Contact
more
less

Eversheds Sutherland (US) LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide