Privacy In Focus®
Late 2021 and early 2022 have been full of federal government activity related to cybersecurity incident reporting. Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 to require mandatory reporting by critical infrastructure of substantial cyber incidents and ransomware payments within tight timeframes. The U.S. Securities and Exchange Commission (SEC) just proposed new cybersecurity rules for publicly traded companies to enhance and standardize public cybersecurity disclosures. These proposals come on the heels of Security Directives from the Transportation Security Administration (TSA) which imposed mandatory reporting on rail and pipeline sectors. The new cyber incident reporting legislation, as well as certain previous mandates, require reporting cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within the U.S. Department of Homeland Security (DHS).
Many private sector entities are wondering how these mandates relate to each other, whether they overlap, and how the information required may differ. Public companies in critical infrastructure may face multiple reporting obligations, with different triggers and different timelines. Wiley has repeatedly advised that the government is increasingly requiring the private sector to enhance cybersecurity through these disclosure obligations and cyber incident reporting mandates. Wiley has also been advising clients to implement sound cybersecurity risk management processes now as we help them navigate these new legal and regulatory challenges.
As companies try to anticipate their obligations, they should pay careful attention to the government’s deadlines and reporting requirements and seek to avail themselves of available liability or disclosure protections where possible. Many in the private sector have been providing information to DHS under the Cybersecurity Information Sharing Act of 2015, which afforded protections to certain information voluntarily shared under the Act. Wiley recommends that cybersecurity incident response plans and crisis management plans be updated to expressly account for new government reporting obligations, available protections, and deadlines.
Private sector entities may want to urge policymakers to simplify and deconflict reporting obligations, particularly while the SEC and DHS engage in rulemaking for cybersecurity incident reporting. As the private sector seeks to understand the rapidly shifting landscape of reporting and disclosure obligations involving cybersecurity incidents, ransomware attacks, and data breaches, the chart below contains a useful summary of key attributes of new and proposed reporting in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, the SEC’s proposed cybersecurity rules for publicly traded companies, and the currently applicable TSA Security Directives. Subsequent rulemaking (with an opportunity for public comments) will further define these obligations.
* Entities in the 16 critical infrastructure sectors currently include: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care/public health, information technology, nuclear reactors/materials/waste, transportation, and water/wastewater systems.
© 2022 Wiley Rein LLP