President Biden Signs Cyber Incident Reporting for Critical Infrastructure Act
New Act will require critical infrastructure sector entities to report cyber incidents within 72 hours and report notice of ransom payments within 24 hours.
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the "Act"), creating new requirements for organizations operating in critical infrastructure sectors to report to the federal government certain cyber incidents and related ransom payments. The Act is part of the Consolidated Appropriations Act, 2022 (H.R. 2471). This Act reflects a renewed regulatory focus on cybersecurity risks as cyber threats intensify.
The Act requires organizations operating in critical infrastructure sectors to:
- Report "substantial" cyber incidents to the Cybersecurity and Infrastructure Security Agency ("CISA") within 72 hours after the entity reasonably believes the incident occurred.
- Provide reports to CISA of substantial new or different information that becomes available until the incident has concluded and been fully mitigated and resolved.
- Report ransom payments to CISA within 24 hours after making the ransom payment.
- Preserve data related to cyber incidents or ransom payments in accordance with procedures to be established by CISA.
The Act applies to entities in critical infrastructure sectors as defined in Presidential Policy Directive 21, which identifies 16 sectors including communications, critical manufacturing, energy, financial services, healthcare, and information technology. The law requires CISA to initiate a rulemaking to define the scope of entities and types of cyber incidents that are subject to the law and to develop other details for implementation. CISA must issue a notice of proposed rulemaking within 24 months, and issue a final rule within 18 months of issuing the proposed rule. The Act will not become effective until the final rule is issued.
Under the Act, the CISA director has authority to issue subpoenas to compel compliance with reporting requirements and may refer matters to the attorney general to bring civil actions enforcing subpoenas. Courts may hold organizations who fail to comply in contempt of court. Such matters can also be referred for criminal prosecution.
Companies in critical infrastructure industries should closely monitor forthcoming rules and guidance from CISA to determine whether the law applies to them. If applicable, the law will provide very short timeframes for reporting compliance. To meet these requirements, as well as to meet other potentially applicable reporting requirements, companies should review and update their incident response policies and procedures to facilitate prompt escalation and enterprise-level responses to ransomware attacks and significant cyber incidents.