2022 Omnibus Spending Package Includes New Cybersecurity Incident Reporting Requirements for Critical Infrastructure Companies: How the Law May Affect Your Company

On March 15, 2022, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (the Act) into law as part of the $1.5 trillion fiscal 2022 omnibus spending package. The Act will create a mandatory cyber incident reporting regime under the Cybersecurity and Infrastructure Security Agency (CISA). It will require covered critical infrastructure entities to report information about substantial cyber incidents they’ve experienced to CISA within 72 hours, and to report information about ransomware payments they’ve made within 24 hours.

In a statement, CISA Director Jen Easterly called the legislation a “game-changer” and “a critical step forward in the collective cybersecurity of our nation.”^[1] “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Easterly said. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”^[2]

Background

Many companies have generally been reluctant to notify federal agencies of cyber incidents and ransomware payments, citing concerns over potential litigation from investors and potential investigations by federal or state regulators.^[3] However, cybersecurity experts have long been advocating for reporting requirements, especially in the wake of the 2020 supply chain attacks on SolarWinds and a relentless surge of ransomware attacks on various critical infrastructure entities, including Colonial Pipeline, which suffered an attack in May 2021 that shut down its operations and cut off a large portion of the East Coast’s fuel supply.^[4]

The same cyber incident reporting requirements were originally included in the annual defense policy bill enacted late last year, but were stripped from the final version.^[5] Legislative efforts to strengthen U.S. cybersecurity preparedness and response have gained urgency in recent weeks, prompted by concerns over potential Russian-directed cyberattacks against U.S. critical infrastructure in retaliation for U.S. support of Ukraine during Russia’s military invasion of the country.^[6] In February, CISA issued a “Shields Up” advisory to U.S. organizations, urging them to adopt heightened vigilance to cybersecurity, etc.^[7] Earlier in March, the Senate passed the Strengthening American Cybersecurity Act, which included the same incident reporting provisions, by unanimous consent.^[8]

House lawmakers since included the reporting requirements in the fiscal 2022 omnibus appropriations bill, which the Senate passed earlier this month and President Biden signed on March 15, 2022.^[9]

Which Entities Are Covered

The Act charges CISA with issuing a final rule clearly describing which entities are covered, but requiring that they be entities in a critical infrastructure sector, as defined in Presidential Policy Directive 21.^[10] That federal government policy identifies 16 broad groups as critical infrastructure sectors, including communications, energy, financial services, food and agriculture, health care and public health, and transportation, among others.

Additionally, the Act requires CISA’s description of covered entities to be based on (A) how an entity’s disruption or compromise would impact “national security, economic security, or public health and safety”; (B) the likelihood of an entity being targeted by a malicious cyber actor; and (C) the extent to which a cyberattack on an entity would disrupt the reliable operation of critical infrastructure.

What the Act Requires

Under the incident reporting requirements contained in the Act, critical infrastructure entities must report details of covered cyber incidents to CISA within 72 hours of a “reasonable belief” that such incidents have occurred.

The Act directs CISA to issue a final rule further defining and clearly describing the term “covered cyber incident,” but the term will include any substantial cyber incident actually experienced by a covered entity, rather than mere threats or failed attacks. At a minimum, an incident must involve one of the following to be covered:

(i) A cyber incident that leads to substantial loss of confidentiality, integrity or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes

(ii) A disruption of business or industrial operations, including due to a denial of service attack, ransomware attack or exploitation of a zero day vulnerability, against (1) an information system or network or (2) an operational technology system or process

(iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, a managed service provider or another third-party data-hosting provider, or by a supply chain compromise.

The Act also calls for CISA to provide a clear description of the specific contents of a cyber incident report as part of its final rule, but states that any report must include a description of the covered cyber incident (including a description of the affected systems, unauthorized access, estimated date range of the incident and impact to operations); a description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques and procedures used by the perpetrators; any available information about the responsible actors; identification of the categories of information that were accessed or acquired; and identification and contact information for the affected entity.

Covered entities will also need to report to CISA within 24 hours of making a ransomware payment, pursuant to the final rule in which CISA will provide a clear description of the specific required contents. Those reports must at least include a description of the ransomware attack, including the estimated date range of the attack; a description of the vulnerabilities, tactics, techniques and procedures used to perpetrate the attack; identifying information related to the responsible actors; identification and contact information for the affected entity; the date and amount of the ransom payment; and details of the ransom payment demand and instructions.

The procedures for submitting reports will also be further spelled out in CISA’s final rule, along with other requirements that companies provide CISA with supplemental reports containing updated information about incidents up until they have concluded or been resolved, and that companies preserve information regarding cyber incidents and ransomware payments.

The Act allows covered entities to use third parties, including service providers or law firms, to submit their required reports.

The Act will also require CISA to analyze and share anonymized information from the reports to provide other federal agencies, Congress and the public with an updated view of the landscape of cyber incidents and ransomware payments, including potential vulnerabilities and the most recent tactics used by malicious actors. When it receives a report about a cyber incident that is connected to an ongoing cyber threat or security vulnerability, CISA must use the report to “identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures.” CISA will also be required to publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings and recommendations based on the reports it receives. Whenever making information provided in reports available to critical infrastructure owners and operators and the general public, CISA will be required to anonymize the victim who reported the information.

Finally, under the Act, CISA’s director must establish (1) within a year of enactment, a ransomware vulnerability warning pilot program that would identify information systems that contain security vulnerabilities associated with common ransomware attacks and notify owners of those vulnerable systems of their security vulnerability, and (2) within 180 days of enactment, a Joint Ransomware Task Force — in consultation with the national cyber director, the attorney general and the director of the FBI — to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.

Implications

The Act will provide some protections for submitting reports to encourage compliance. For example, the Act includes a prohibition on the use of information about covered cyber incidents or ransom payments obtained through the reports in federal or state regulatory actions. In addition, the Act prohibits causes of action in any court against any person or entity on the sole basis of submitting a report in compliance with the law.

Noncompliance with the reporting requirements can result in a civil lawsuit. Covered entities that fail to report cyber incidents or ransomware payments will initially be subject to subpoena by the director of CISA to compel disclosure of information. If a covered entity then fails to comply with a subpoena, the director may refer the matter to the U.S. attorney general to bring a civil action to enforce the subpoena. Entities that fail to comply with such subpoenas may be found in contempt of court.

Given the breadth of potentially covered critical infrastructure entities, the new reporting requirements will eventually impose new obligations on many companies operating in the United States that suffer cyber incidents and make ransomware payments. However, the requirements will not take effect immediately. First, the reporting program must be finalized through the federal rulemaking process and CISA must issue a final rule. The Act directs CISA to publish a notice of proposed rulemaking within 24 months and issue a final rule within 18 months after that. All in all, that means that these new reporting requirements may not be in effect for several years. Still, companies in critical infrastructure sectors should assess their plans for responding to cybersecurity incidents and consider updating them in light of the upcoming reporting requirements.

Companies should also be aware of the patchwork of federal and state reporting requirements to which they may already be subject. For example, the HIPAA breach notification rule requires “HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.”^[11] And in November 2021, federal bank regulatory agencies approved a final rule requiring banking organizations to notify regulators of “any significant computer-security incident” as soon as possible and no later than 36 hours after a determination that such an incident occurred (see our prior alert). Most recently, earlier this month, the SEC proposed new rules that would require public companies to disclose material cybersecurity incidents within four business days after determining the incident is material (see our alert).

The Act directs CISA to consider similar existing federal incident reporting requirements and make efforts to harmonize them with its own reporting requirements through the creation of an intergovernmental Cyber Reporting Council. In addition, it allows CISA to enter into agreements with other federal agencies through which those other agencies would be required to share the cyber incident reports they receive with CISA, in which case covered entities would be exempted from reporting substantially similar information separately to CISA. Companies could nevertheless face overlapping and varying reporting requirements in the future.

^[1] _{Statement from CISA Director Easterly on the Passage of Cyber Incident Reporting Legislation, CISA (March 11, 2022), https://www.cisa.gov/news/2022/03/11/statement-cisa-director-easterly-passage-cyber-incident-reporting-legislation.}

^[2] _Id.

^[3] _{David Jones, Congress Adds Historic Cyber Incident Reporting Rule to Massive $1.5 Trillion Spending Package, Utility Dive (March 15, 2022), https://www.utilitydive.com/news/congress-cyber-incident-reporting-legislation/620403.}

^[4] _Id.

^[5] _{Martin Matishak, Democrats Accuse GOP of Scuttling Incident Reporting in Massive Defense Bill, Record (Dec. 7, 2021), https://therecord.media/democrats-accused-gop-of-scuttling-incident-reporting-in-massive-defense-bill.}

^[6] _{Press release, Senate Passes Peters & Portman Landmark Provision Requiring Critical Infrastructure to Report Cyber-Attacks as Part of Funding Bill, S. Comm. on Homeland Sec. & Governmental Affs. (March 11, 2022), https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-provision-requiring-critical-infrastructure-to-report-cyber-attacks-as-part-of-funding-bill-.}

^[7] _{Shields Up, CISA, https://www.cisa.gov/shields-up (last visited March 15, 2022).}

^[8] _{Strengthening American Cybersecurity Act, S. 3600, 117th Cong. (2022).}

^[9] _{Cyber Incident Reporting for Critical Infrastructure Act, H.R. 2471, Div. Y, 117th Cong. (2022).}

^[10] _{See Presidential Policy Directive — Critical Infrastructure Security and Resilience (Feb. 12, 2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.}

^[11] _{U.S. Dep’t of Health & Hum. Servs., Breach Notification Rule, https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html (last visited March 15, 2022).}