Mandatory Cybersecurity Incident Reporting: The Beginning of a New Era for Businesses | Bradley Arant Boult Cummings LLP

A significant change in cybersecurity compliance is coming, and organizations must prepare for it. Starting in 2024, organizations will face new requirements to report cybersecurity incidents and ransom payments to the federal government. This change stems from the U.S. Department of Homeland Security’s (DHS) Cybersecurity Infrastructure and Security Agency’s (CISA) Notice of Proposed Rulemaking (NPRM). This notice aims to enforce the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Essentially, this means that “covered entities” must report certain cyber incidents and ransom payments to CISA within specified time periods.

background

In March 2022, President Joe Biden signed the CIRCIA Act. This was a major step towards improving American cybersecurity. The law requires CISA to issue and enforce regulations requiring affected companies to report cyber incidents and ransom payments. The goal is to help CISA quickly assist victims, analyze trends across different sectors, and share important information with network defenders to prevent further potential attacks.

The proposed rule will be open for public comment until July 3, 2024. After that period, CISA will have 18 months to finalize the rule. The expected implementation date is October 4, 2025. The rule should be effective in early 2026. This document provides an overview of the NPRM and highlights key points from the detailed notice in the Federal Register.

Cyber incident reporting initiatives

CIRCIA contains several key requirements for mandatory reporting of cyber incidents:

Requirements for reporting cyber incidents – CIRCIA requires CISA to develop rules requiring covered entities to report all covered cyber incidents within 72 hours of the time the entity reasonably believes the incident occurred.
Distribution of nationwide incident reports – Any Federal agency that receives a report of a cyber incident after the effective date of the final rule must forward that report to CISA within 24 hours. CISA must also make information received under CIRCIA available to designated Federal agencies within the same time period.
Cyber Incident Reporting Council – The Department of Homeland Security (DHS) must establish and manage an intergovernmental cyber incident reporting council to coordinate, avoid conflicts, and harmonize federal cyber incident reporting requirements.

Ransomware initiatives

CIRCIA also authorizes or commissions several initiatives to combat ransomware:

Reporting obligations for ransom payments – CISA must develop regulations that require affected companies to notify CISA within 24 hours of paying a ransom resulting from a ransomware attack. These reports must be shared with federal agencies in a similar manner to cyber incident reports.
Ransomware vulnerability warning pilot program – CISA must establish a pilot program to identify systems vulnerable to ransomware attacks and may notify the owners of those systems.
Joint Ransomware Task Force – CISA has announced the creation of the Joint Ransomware Task Force to build on existing efforts to coordinate a nationwide campaign against ransomware attacks. This task force will work closely with the Federal Bureau of Investigation and the Office of the National Cyber Director.

scope

The regulation targets many “covered entities” within critical infrastructure sectors. CISA clarifies that “covered entities” include more than just owners and operators of critical infrastructure systems and facilities. Entities actively engaged in these sectors may be considered “in this sector” even if they do not themselves constitute critical infrastructure. Entities unsure of their status are encouraged to contact CISA.

Critical infrastructure sectors

The CISA interpretation covers companies within any of the 16 sectors defined in Presidential Policy Directive 21 (PPD 21). These sectors include chemicals, commercial facilities, communications, critical manufacturing, dams, defense industries, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, materials and waste, transportation systems, and water and wastewater systems.

Covered Units

CISA aims to include small businesses that own and operate critical infrastructure by establishing additional sector-based criteria. The proposed rule applies to organizations that fall into one of two categories:

Companies operating in critical infrastructure sectors, excluding small enterprises
Companies in critical infrastructure sectors that meet sector-specific criteria, even if they are small companies

Size-based criteria

The size-based criteria use Small Business Administration (SBA) standards that vary by industry and are based on annual revenue and number of employees. Companies in critical infrastructure sectors that exceed these thresholds are “covered entities.” The SBA standards are updated regularly, so companies need to stay informed of the current thresholds that apply to their industry.

Industry-specific criteria

The sector-based criteria target essential entities within a sector, regardless of size, based on the potential consequences of a disruption. The proposed rule outlines specific criteria for nearly all 16 critical infrastructure sectors. For example, in the information technology sector, the criteria include:

Companies that provide IT services to the federal government
Companies that develop, license or maintain critical software
Manufacturers, suppliers or integrators of hardware or software for operational technologies
Companies active in the field of election-related information and communication technology

In the health and public health sector, the criteria include:

Hospitals with 100 or more beds
Hospitals with critical access situation
Manufacturers of certain medicinal products or medical devices

Covered cyber incidents

Covered entities must report “covered cyber incidents,” which include significant loss of confidentiality, integrity, or availability of an information system, severe impacts to the security and resilience of operating systems, disruption of business or industry operations, and unauthorized access due to third-party vendor compromise or supply chain breaches.

Important incidents

This definition includes significant cyber incidents regardless of their cause, such as third-party attacks, denial-of-service attacks, and vulnerabilities in open source code. However, threats or activities in response to owner/operator requests are not included. Significant incidents include encryption of core systems, exploits that cause extended downtime, and ransomware attacks on industrial control systems.

Reporting obligations

Affected companies must report cyber incidents to CISA within 72 hours of reasonable suspicion. Reports must be made via a web-based CIRCIA Incident Reporting Form on the CISA website and must include comprehensive details of the incident and ransom payments.

Report types and schedules

Covered cyber incident reports within 72 hours of incident detection
Ransom payment reports due to a ransomware attack within 24 hours of payment
Joint reports on covered cyber incidents and ransom payments within 72 hours for ransom payment incidents
Supplementary reports within 24 hours if new information or additional payments are available

Companies must retain the data used for the reports for at least two years. They can authorize third parties to submit reports on their behalf, but remain responsible for compliance.

Exceptions for similar reports

Covered entities may be exempt from CIRCIA reporting if they have already reported to another federal agency, provided there is an agreement between CISA and that agency. This agreement must ensure that reporting obligations are substantially the same and the agency must share information with CISA. Federal agencies that report to CISA under the Federal Information Security Modernization Act (FISMA) are exempt from CIRCIA reporting.

These agreements are still under development, and companies reporting to other federal agencies should stay informed of their progress to understand how they impact their reporting obligations under CIRCIA.

Enforcement and penalties

The CISA Director may issue a Request for Information (RFI) if a company fails to submit a required report. Failure to comply may result in civil action or court orders, including penalties such as disbarment and restrictions on future government contracts. False statements in reports may result in criminal penalties.

Information protection

CIRCIA protects reports and RFI responses, including immunity from enforcement actions based solely on report submissions and protection from legal disclosure and use in proceedings. Reports are exempt from disclosure under the Freedom of Information Act (FOIA), and companies can designate reports as “commercial, financial, and proprietary information.” Information may be shared with federal agencies for cybersecurity purposes or in response to certain threats.

Insights for business

Although the rule will not take effect until late 2025, companies should begin preparing now. Companies should review the proposed rule to determine if they qualify as affected entities and understand the reporting requirements, and then adjust their security programs and emergency response plans accordingly. Creating a regulatory reporting chart can help track the various incident reporting requirements. Proactive measures and possible formal comments on the proposed rule can help with compliance once the regulations are finalized.

These steps are intended to help companies prepare for CIRCIA. However, each company must evaluate its own needs and processes in its specific operational, business and regulatory context.