April.15.2022
The Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Sharing Cyber Event Information” Fact Sheet on April 7 that may preview its implementation of the new federal government cyber incident reporting requirement signed into law on March 15—the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Section Y within the Consolidated Appropriations Act). Many key details of the reporting requirement are subject to future rulemaking by CISA, including the critical infrastructure organizations to which the reporting requirements will apply; what cyber incidents must be reported (i.e., “substantial” cybersecurity incidents); what information critical infrastructure organizations will have to report; and the mechanics of submitting the reports. The critical infrastructure industry has time to prepare as the reporting requirement will not take effect until the rulemaking process has been completed, although CISA encourages voluntary reporting now. Although the proposed rules are required to be issued in the rulemaking progress within 24 months, with the final rule due 18 months thereafter, organizations should anticipate that CISA will move more quickly, and that the final rule could be issued as early as early 2023.
The statute provides a framework that gives a picture of what can be expected when the reporting requirement becomes mandatory. While CISA has not yet started the rulemaking process, the CISA Fact Sheet provides recommendations for voluntary reporting starting now.
Cyber Incident & Ransom Payment Reporting Framework |
CISA Fact Sheet |
|||
Who Has to Report? |
Entities that operate in a critical infrastructure sector[1]: |
Critical Infrastructure Owners and Operators. (This term is not defined in the Fact Sheet, but CISA’s existing guidance defines Critical Infrastructure Sectors as the 16 sectors identified in Presidential Policy Directive 21, which mirrors the Act.) Federal, State, Local, Territorial, and Tribal Government Partners |
||
|
|
|||
Covered entities may use a third party to submit the required report. |
||||
|
Substantial Cyber Incident |
Ransom Payment |
|
|
What Events Have to Be Reported? |
The occurrence of “substantial” cyber incidents[2], including:
|
The payment of ransom as the result of a ransomware attack. |
|
|
What Details Have to Be Reported? |
For a substantial cyber incident, details may include[3]:
|
For a ransom payment[4]:
|
|
|
When Does It Have to Be Reported? |
Within 72 hours from when the entity “reasonably believes” that a “substantial” cyber incident has occurred. |
Within 24 hours of making a ransom payment. |
CISA encourages reporting “quickly” so information can be used to “render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack.” |
|
Prompt updates or supplemental reports required if “substantial new or different information becomes available,” up until Agency is notified that the covered incident has been fully mitigated and resolved. |
||||
Where Does It Have to Be Reported? |
To CISA via a user-friendly web-based form.[5] |
Send an email to [email protected] OR Use CISA’s Incident Reporting Form if you are a Federal or Critical Infrastructure partner that has completed one previously OR Send phishing email to [email protected] |
The statute also imposes a duty to preserve data relevant to the covered incident or ransom payment in accordance with the final rule.
The Act includes an enforcement mechanism, which is new to CISA which previously had no relevant enforcement powers and/or subpoena powers. It now gets both. Specifically, if the CISA Director has reason to believe that a covered entity failed to submit a required report, the Director may obtain information about the covered cyber incident or ransom payment by engaging the covered entity directly. If after 72 hours, no response or an inadequate response is received, then CISA may seek the information via a subpoena. If an entity fails to comply with a subpoena, CISA can refer the matter to the Attorney General to bring a civil action. The enforcement action and subpoena powers do not apply to covered entities that are State, local, Tribal or territorial government entities.
If the Director determines that information provided in response to a subpoena may constitute grounds for a regulatory or criminal action, then the Director may provide such information to the Attorney General or head of the applicable regulatory agency. By contrast, the information contained in a voluntary report or in response to direct inquiry from CISA cannot be used as the basis for such actions.
Information received in the reports will be processed and shared by CISA with a number of different groups.
Federal Government: Within 24 hours of receiving a report, CISA will need to make the information available to “appropriate Sector Risk Management Agencies and other appropriate federal agencies.” This interagency sharing is subject to specific requirements to be set by the President, including what agencies are to be included in the information sharing. The FBI and Department of Justice, who had been vocal with their frustration about not being included as direct report recipients, are likely to be provided with reports through this provision. Information from the reports can also be shared with federal departments and agencies to identify and track ransom payments. CISA will provide a monthly briefing to congressional leadership regarding the national cyber threat landscape.
Information Sharing Groups: Anonymized information about context, threat indicators, and defensive measures will be shared with information sharing cyber groups, such as state and local governments, cyber incident response firms, and security researchers.
Critical Infrastructure Owners and Operators: Reported information can be shared, on a voluntary basis, between relevant critical infrastructure owners, particularly where such information relates to ongoing threats, a security vulnerability, or mitigation techniques that may allow entities to prevent cyber incidents.
General Public: CISA can use information from significant incidents, including ransomware attacks, and “identify and disseminate ways to prevent or mitigate similar incidents in the future.” A public, unclassified report will be published quarterly with “aggregated, anonymized observations, findings and recommendations”.
The Act provides for protection of the reported information in a variety of contexts. There is a prohibition on the use of information obtained solely through reports submitted under the Act to regulate the reporting entity. The submission of a report cannot serve as the basis for a cause of action. Reports and documents relating to their preparation, drafting, or submission are not subject to discovery and cannot be received into evidence in a trial or proceeding. Reporting will not constitute a waiver of any applicable privilege or protection provided by law. Information in a report can be designated as commercial, financial, and proprietary information of the covered entity. Reports will not be subject to Freedom of Information Act requests or any other public disclosure provision.
While CISA has not formally begun the rulemaking process that will make the reporting provisions mandatory, organizations should immediately.
Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist critical infrastructure entities in reviewing their cyber security programs in light of this announced reporting framework and designing practical, forward-thinking strategies to aid with reporting compliance.