DHS CISA proposes rule to expand cyber incident reporting

The proposed rule defines the “critical infrastructure sector” as “financial services,” meaning banks, registered broker-dealers, and similar service providers would be subject to the rule. However, companies that are already required to report cybersecurity breaches to other federal agencies – such as the U.S. Securities and Exchange Commission or the Federal Trade Commission – would be exempt from the reporting requirement under the proposed rule. The proposed rule implements the Cyber ​​Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CISA expects to publish a final rule by the end of 2025, with the reporting requirement expected to begin in 2026.

CISA estimates that the proposed rule could affect more than 300,000 companies, which CISA estimates will file more than 200,000 CIRCIA reports over the 11-year analysis period, at a cost to the industry of $1.4 billion.

Covered cyber incidents

Importantly, not all cyber incidents need to be reported. Under the proposed rule, affected companies would have to report all “material” cyber incidents. For example, network traffic overload, successful defense against downloaded malware by antivirus software, and successful phishing attempts by individual users are not considered “material.”

A “significant” cyber incident is any event that results in any of the following:

• A significant loss of confidentiality, integrity, or availability of a covered entity’s information system or network.
• Severe impact on the security and resilience of a covered entity’s operating systems and processes.
• A disruption in the ability of a covered entity to carry on business or industry or to supply goods or services.
• Unauthorized access to a covered entity’s information system or network, or nonpublic information contained therein, enabled or caused by the compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain compromise.

Examples of serious cyber incidents include a distributed denial-of-service (DDoS) attack that renders a service unavailable for an extended period of time, a cyber incident that encrypts business or information systems, or unauthorized access to an information system or network.

Compliance requirements

The companies concerned are obliged:

• Report completed ransom payments within 24 hours and significant cyber incidents within 72 hours after an entity has reasonable grounds to believe an incident has occurred using the web-based CIRCIA Incident Reporting Form available on the CISA website.
• Describe the incident and the perpetrator, the vulnerabilities exploited, how the incident was conducted, and what security precautions and mitigation measures the affected entity has taken.
• Retain data and records related to a covered incident or ransom payment for at least two years after an incident report was or should have been reported to CISA.

Failure to comply with reporting requirements may result in referral to the Attorney General for civil action or, in the case of knowing and willful violations, criminal penalties under 18 USC §1001 for making false or fraudulent statements.

Bring away

If the rule is adopted substantially as proposed, financial services firms will be required to update their cybersecurity programs to comply with CISA’s reporting requirements in the event of a cyber incident. Although larger firms likely already have robust cybersecurity programs in place that can meet a reporting requirement, Congress’s motive behind the reporting requirement is to better track the evolving nature of cyberattacks for a broader group of covered entities.

ArentFox Schiff attorneys assist information security personnel as they review their cybersecurity and compliance programs, assess their vulnerabilities and risks, and implement additional programs or controls to mitigate risks and ensure full compliance with applicable legal and reporting obligations.

Additional research and writing by Jacob Blais, a summer intern in 2024.