Is Your Company Prepared for the New Cyber Incident Reporting Requirements?

Michael J. Montalbano

Stay up to date by subscribing to our blog. Add your e-mail address to the Subscribe box on the right to get our timely posts delivered directly to your inbox.

On March 11, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Law includes new reporting requirements for companies who experience cyber incidents or make ransomware payments.

Under the Law, covered entities that experience covered cyber incidents must report the incident to the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. Covered entities must also notify CISA within 24 hours of making a ransomware payment.

The new cyber reporting law tasks CISA with creating more precise definitions for who constitutes a “covered entity” and what constitutes a “cyber incident.” Even the general language of the statute, however, provides some guidance for companies.

Is your company a covered entity?

    • Covered Entities. In defining who qualifies as a “covered entity,” Congress instructed CISA to consider three factors:

      (1) Whether the compromise or disruption to the entity could impact national security, economic security, or public health and safety;

      (2) The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country; and

      (3) Whether the compromise or disruption to the entity will affect critical infrastructure.

      Based on these factors, we can expect organizations in the financial, healthcare, and defense industries to be subject to these reporting requirements.

What qualifies as a covered cyber incident?

    • Covered Cyber Incident. A “covered cyber incident” must “at a minimum” include one or more of the following:

      (1) “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”;

      (2) “disruption of business or industrial operations, . . . against an information system or network or an operational technology system or process”; or

      (3) “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”

What must be included in a cyber incident report?

    • Cyber Incident Report. The report a covered entity submits must include the following:

      (1) A description of the cyber incident (e.g., affected networks/devices, description of unauthorized access, estimated date range of the incident, impact of the attack);

      (2) A description of the vulnerabilities exploited and security defenses that were in place;

      (3) Identifying information of the actors responsible for the cyber incident (to the extent available);

      (4) A description of the types of information that were accessed;

      (5) Names and identifying information of the entities that were impacted by the attack; and

      (6) Contact information for the covered entity.

Reporting incentives and privacy issues

The Law also provides several incentives for companies to report cyber incidents. For example, companies that submit a report will receive liability protection from “litigation that is solely based on the submission of a covered incident report or ransom payment report.” The report and document and communications created for the “sole purpose” of preparing the report are not discoverable or admissible in other trials or hearings.

The Law also addresses privacy and trade secret concerns raised by the private sector. The Law preserves the trade secret status of any information provided in the report and exempts the report from the Freedom of Information Act or any state or local government equivalent as well as limits the distribution of the report within the federal government.

We expect more updates over the next year as CISA promulgates new rules implementing the Law. In the meantime, companies should continue monitoring these developments and begin to prepare a response plan if they think the Law is likely to apply to their industry.

Leave a Reply

%d bloggers like this: