President Biden has recently delivered on a long stated priority of his presidency: requiring the disclosure of cyber security incidents for companies that operate critical infrastructure. After announcing an executive order in May 2021 aimed at modernizing the federal government’s cybersecurity practices, the same sweeping changes will now effect private companies that operate critical infrastructure. At the time of the executive order, some noted that the recent string of high profile ransomware attacks was leading to a bipartisan effort to require disclosures of such incidents by those effected in the private sector. Indeed, Congress has acted quickly in codifying disclosure requirements for those that operate critical infrastructure.
Incorporated into the Consolidated Appropriations Act of 2022, the Cyber Incident Reporting for Critical Infrastructure Act (the “Act”) will require that covered entities that reasonably believe that they have experienced a “covered cyber incident” file a report with the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours. Further, in the event that a covered entity makes a ransomware payment as a result of a ransomware attack, they must report the payment to CISA within 24 hours. Supplemental reports to CISA are also required in the event that the covered entity becomes aware of substantial new or different information.
Who is Covered
As previously noted, the Act will require covered entities to alert CISA when they suspect that they have been the victim of a covered cyber incident. The Act defines a covered entity as “an entity in a critical infrastructure sector, as defined in Presidential Policy Directive 21.” Presidential Policy Directive 2021(the “Directive”) refers to a directive from 2013 pertaining to the security and resilience of critical infrastructure. The Directive defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This broad definition can effect large swaths of the private sector from energy production to banking.
Further, the Act requires the disclosure of covered cyber incidents which is defined as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b)”. While the Act punts to the Director of CISA to determine what types of incidents will require notification, it provides some general guidance. At a minimum, the guidance provided by the final rule will require the disclosure of a cyber incident that:
- leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;
- disrupts the business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against (1) an information system or network; or (2) an operational technology system or process; or
- results in the unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.
Following the enactment of the Act, the Director of CISA will issue a notice of proposed rulemaking within 24 months. A final rule will then be adopted within 18 months following the notice of proposed rulemaking. Ultimately, these rules will outline in greater detail both what qualifies as a covered entity and a covered cyber incident.
Complying with the Act
The main purpose of the Act is to collect data on cyber security incidents. To that end, the only major change from the present status quo as a result of this Act is that reports regarding incidents and ransomware payments must be made to CISA. In the event that the Director suspects that a covered entity has been the victim of a cyber security incident, she may request that a report be filed by that entity within 72 hours. Similarly, in the event that the Director becomes aware that a ransomware payment has been made by a covered entity without filing a report, she may request one be filed within 24 hours. Failure to respond to the Director’s s requests for either report could result in referrals to the Attorney General for civil penalties.
However, because the Act is merely a means to track and document cyber security incidents, the responses by the covered entities can largely remain the same. Thus, while the Act requires disclosures, it permits covered entities to engage in investigations with third parties. This includes engaging with a third party to conduct ransomware negotiations.
This shift in legal requirements for critical infrastructure represents a concerted effort by numerous actors in government to provide systems that can be used to track cyber security incidents. While this does not affect all private sector entities, all businesses should be aware of this trend. What started as an executive order less than a year ago has evolved into mandatory reporting for companies that engage in critical infrastructure. Since threat actors do not limit their attacks solely to critical infrastructure, it is entirely plausible that future legislation could be enacted to touch other areas in the private sector.
Because of this, all business, both those involved in critical infrastructure and not, should take note of these trends. Ensuring that data is properly protected and that proper IT controls are established, such as double factor authentication, can significantly reduce the possibility of cyber security incidents occurring. Further, establishing strong response plans that are regularly reviewed and updated can help prevent the fallout associated with such incidents. A full list of recommended courses of action was previously explored in this article.