The US Cyber Incident Reporting Act – its impact and its requirements for Critical Infrastructure Entities

The US Cyber Incident Reporting Act – its impact and its requirements for Critical Infrastructure Entities
Blog

The US Cyber Incident Reporting Act – its impact and its requirements for Critical Infrastructure Entities

US Congress passes ground-breaking new law with onerous requirements on cyber incident reporting.

Here’s what you need to know:

The Cyber Incident Reporting for Critical Infrastructure Act[1] was approved by unanimous vote of the US Senate on March 10th, 2022 and formally promulgated into law by President Joe Biden on March 15th, 2022; and is considered to be the most momentous cyber legislation to be passed by the US Senate since 2015.

Under this law, critical infrastructure entities[2] (including: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food & agriculture, government facilities, healthcare & public health, information technology, nuclear reactors, materials & waste, transportation systems; water & wastewater systems and federal agencies) are statutorily required to report ‘significant cyber incidents’ to the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”)[3] within 72 hours of any incident and further, within 24 hours if any ransomware payment was made.

Minimum reporting standards to CISA are required to include a description of the covered cyber incident; a description of the tactics, techniques, and procedures (TTPs) used to exploit vulnerabilities and the vulnerabilities exploited; any information that could assist in identifying the malicious actor; the impacted, reporting entity’s contact information. Further, if any ransomware payment was made, reports to CISA shall also include details of the date of the ransom payment; the ransom payment demand and payment instructions, including the type of currency requested and the amount of the ransom payment made.

The definition of a “covered cyber incident”[4] shall be later published by the awaited CISA regulations, but at a minimum shall be considered as any occurrence that, without legal authority actually jeopardizes the integrity, confidentiality, or availability of data on an information system, or an information system itself, and which includes: “a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”; “a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”[5]; and “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.

Previously, the applauded efforts of CISA include the publishing of its guidance and recommendations for proper responses to ransomware attacks with tips to detect potential intrusions, and general best practices for cyber protection. The law also now establishes CISA as the US central information agency related to cyber incidents. The legislation further bolsters CISA’s role in the combating of cyber incidents whereby CISA is mandated to launch a Ransomware Vulnerability Warning Pilot Program; a Cyber Incident Review Center, as well as a Joint Ransomware Task Force.

This legislation requires organizations to be better and best equipped to manage their vulnerabilities, in order to defend against, detect, respond to and additionally, to remediate cybersecurity threats, by requiring organizations to properly scrutinize their existing cyber defences, bolster their efforts and harden their existing cyber incident response plans. This legislation is a significant step in the collective cybersecurity of the US.

As yet another affirmation of the sign of the times and a word to the wise – All Companies should begin consideration of larger investments into their cyberinfrastructure in order to ensure compliance with the guidance set forth in the Act.

Author: Luna de Lange

References   

[1] H.R.5440 – Cyber Incident Reporting for Critical Infrastructure Act of 2021, accessible here: H.R.5440 – 117th Congress (2021-2022): Cyber Incident Reporting for Critical Infrastructure Act of 2021 | Congress.gov | Library of Congress

[2] Presidential Policy Directive — Critical Infrastructure Security and Resilience: PPD-21, accessible here: Presidential Policy Directive — Critical Infrastructure Security and Resilience | whitehouse.gov (archives.gov)

[3] Cybersecurity and Infrastructure Security Agency (CISA), webpage accessible here: Homepage | CISA

[4] The Act requires the disclosure of covered cyber incidents which is defined as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b) of the Presidential Policy Directive — Critical Infrastructure Security and Resilience: PPD-21, accessible here: Presidential Policy Directive — Critical Infrastructure Security and Resilience | whitehouse.gov (archives.gov)

Sign up to receive our monthly Newsletter & Blogs