The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was enacted in 2022 with the primary purpose of preserving national security, economic security, and public health and safety. CIRCIA provides the Director of the Cybersecurity and Infrastructure Security Agency (CISA) authority to enact rules regarding various reporting requirements therein. In early April 2024, CISA released a proposed rule (Rule) with two significant requirements: (1) a 72-hour deadline to report covered cyber incidents and (2) a 24-hour deadline to report ransom payments connected to ransomware attacks. Over the next eleven years, CISA estimates the Rule will result in an estimated $1.4 Billion in costs to industry and affect over 316,000 different entities. Below is a high-level overview of the Rule, its key requirements, and notable issues contractors may want to consider commenting on by June 3.
Applicability
Covered entities that experienced a “covered cyber incident” will need to submit a report to CISA. The Rule defines a covered entity as a business in one of sixteen critical infrastructure sectors that either (1) exceeds its small business size standard (as specified by the applicable North American Industry Classification System (NAICS) code) or (2) meets a sector-based criterion. There are a number of “sector-based” criteria mentioned in the Rule. One, for example, includes owning or operating infrastructure in a critical manufacturing sector, such as primary metals, machinery, electrical equipment, appliances, components, and transportation equipment. Regardless of size, if a criterion applies to your business, you will need to submit reports to CISA if and when a covered cyber incident occurs or a ransom payment is made.
Covered cyber incidents are:
- occurrences that actually jeopardize, without lawful authority, the integrity, confidentiality, or availability of information on an information system, OR an occurrence that actually jeopardizes, without lawful authority, an information system and
- which lead to:
1. a substantial loss of confidentiality, integrity, or availability of an information system or network;
2. a serious impact on the safety and resiliency of operational systems or processes;
3. a disruption of an entity’s ability to engage in business or industrial operations, or deliver goods or services; or
4. unauthorized access to information systems or networks caused by (a) the compromise of a cloud service provider, managed service provider, or third-party data hosting provider or (b) a supply chain compromise.
In addition to cyber incident reporting, a covered entity must report to CISA if it makes a ransom payment as a result of a ransomware attack. Ransomware attacks are:
- occurrences that actually or imminently jeopardize, without lawful authority, the integrity, confidentiality, or availability of information on an information system OR that actually or imminently jeopardizes, without lawful authority, an information system that involves, but need not be limited to:
1. the use or the threat of use of (a) unauthorized or malicious code on an information system or (b) another digital mechanism (such as a denial-of-service attack);
2. interruption or disruption of operations of an information system, or the compromise of confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system; and
3. extortion of a ransom payment.
Supplemental reports must be promptly submitted to CISA if substantial new or different information becomes available or an entity makes a ransom payment. Entities must continue to submit supplemental reports up until the covered cyber incident has concluded, as well as fully mitigated and resolved.
Reporting Requirements
Covered cyber incidents must be reported within 72 hours after the covered entity reasonably believes the incident occurred, and ransom payments must be reported within 24 hours after the payment is disbursed. The cyber incident report requires, among other items, a detailed description of the event (including any unauthorized access, dates of key events, and impact on operations), categories of information that were compromised, vulnerabilities exploited, and security defenses already in place. The report for ransom payments contains much of the same information required of the former but also includes several other items specific to payments, including, but not limited to, the date of payment, amount and type of assets used for payment, the payment demand, payment instructions, and outcomes associated with making the payment. Note that third parties can be designated as a firm’s reporting entity, however, additional requirements must be adhered to by these entities and delegating such a duty does not relieve the covered entity from compliance with the reporting obligations.
Consequences of Non-Compliance
If the CISA Director has reason to believe a covered entity fails to report in accordance with the Rule’s requirements, it may serve a formal request for information (RFI) on the entity. The RFI will include a deadline for when the entity must submit all requested information. If the entity fails to respond in a timely manner or the response is determined inadequate, the CISA Director may request additional information or compel information through issuance of a subpoena. There are certain appeal procedures available to covered entities who receive subpoenas.
The CISA Director may also forward information submitted to CISA in response to a subpoena to the Attorney General for criminal prosecution or the head of a regulatory enforcement agency for enforcement if the Director believes that there is a basis for such action. Indeed, if an entity inadequately (or fails to) respond to the subpoena, the CISA Director may refer the matter to the Attorney General to bring a civil action to enforce the subpoena in the Federal District Court. At that point, a court may order compliance and determine that an entity is in contempt of court.
Conclusion
As many businesses are already aware, there are several cybersecurity reporting requirements scattered throughout the federal government. The Rule will introduce new requirements that aim to centralize reporting requirements, cover those agencies and/or industries that currently do not have established reporting mechanisms, and foster greater data sharing to increase incident response times and successful corrective actions. Limited exceptions to the Rule’s reporting requirements are available for some covered entities pursuant to CIRCIA agreements, i.e., if a covered entity is already required to report substantially similar items to a Federal agency. Nevertheless, CISA is interested in reducing the overall reporting burden for businesses and requests comments on how to harmonize the Rule with other reporting requirements and ensure there is no unnecessary duplication of reporting.
Another key consideration for affected entities is the Rule’s enforcement mechanisms. Businesses would be wise to loop in their attorneys on any communications related to a cyber incident, including when a business has reason to believe an incident occurred. By including your attorneys in these communications for the purpose of representation, certain client-attorney confidentiality principles can be invoked, preventing businesses from needing to submit communications (of which the attorney was part) to CISA via an RFI or subpoena. PilieroMazza encourages businesses to comment on the Rule, which can be submitted here and is due by June 3, 2024. A final rule codifying these reporting requirements will be issued by October 2025.