On March 15, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (Act). Many outlets reporting on the Act focused on its 72-hour breach notification requirement. But such reports created uncertainty over the Act’s application and requirements, as well as the steps an organization should take in response to the Act.

To help resolve this uncertainty, we’ve distilled the Act into four main parts: (1) to whom it applies; (2) what it requires; (3) what is left unresolved; and (4) what immediate, practical steps organizations should take as a result.

To Whom Does the Act Apply?

The Act applies to entities in the critical infrastructure sector. There is no set definition for what constitutes an entity in the critical infrastructure sector, but the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (Agency) lists 16 critical infrastructure entities by sector:

1. Chemical sector includes entities that manufacture, store, use, and transport potentially dangerous chemicals upon which a wide range of other critical infrastructure sectors rely.
2. Commercial Facilities sector includes entities that draw large crowds of people, such as for shopping, business, entertainment, or lodging.
3. Communications sector includes satellite, wireless, and wireline providers.
4. Critical Manufacturing sector includes entities whose disruption would disrupt essential functions at the national level and across multiple critical infrastructure sectors.
5. Dams sector includes entities that deliver water retention and control services.
6. Defense Industrial Base sector includes entities that enables research, development, maintenance, design, production, and more of military weapons systems, subsystems, and components or parts to meet U.S. military requirements.
7. Emergency Services sector includes first responders, city police departments, fire stations, and town public works departments. This also includes private sector resources, such as industrial fire departments, private security organizations, and private emergency medical services providers.
8. Energy sector includes entities that supply fuel, provide electricity, and provide other sources of energy integral to growth and production across the nation.
9. Financial Services sector includes depository institutions, providers of investment products, insurance companies, other credit and financing organizations, and the providers of the critical financial utilities that support these functions.
10. Food and Agriculture sector includes the 2.1 million farms, restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities.
11. Government Facilities sector includes the buildings owned or leased by federal, state, local, and tribal governments.
12. Health Care and Public Health sector includes entities that protect individuals from hazards, such as terrorism, infectious disease outbreaks, and natural disasters.
13. Information Technology sector includes entities that produce and provide hardware, software, and information technology systems and services, as well as the internet.
14. Nuclear Reactors, Materials, and Waste sector includes the 99 active and 18 decommissioning power reactors that generate nearly 20% of the nation’s electricity.
15. Transportation Systems sector includes all forms of transportation, such as aviation, highway and motor carrier, mass transit and passenger rail, and postal and shipping.
16. Water and Wastewater Systems sector includes the entities that provide safe drinking water and properly treat wastewater to prevent disease and protect the environment.

What Does the Act Require?

The Act does not require all companies to report all cyber incidents within 72 hours. The Act only applies to covered entities (entities in the critical infrastructure sectors) and to covered cyber incidents. A cyber incident covered under the Act “means an occurrence that jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or an information system.” Only “substantial cyber incidents” are required to be reported. This definition does not include an occurrence that “imminently, but does not actually, jeopardizes (i) information on information systems; or (ii) information systems.” Therefore, under the Act, a covered entity is only required to report a covered cyber incident to the Agency no later than 72 hours after the covered entity reasonably believes the cyber incident occurred.

Additionally, if a covered entity makes a ransom payment, the covered entity must report the payment to the Agency no later than 24 hours after the payment has been made.

What Does the Act Leave Undecided?

Several items. In particular, the Act directs the Agency to: (1) receive, aggregate, analyze, and secure reports to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls; (2) assess the potential impact of cyber incidents on public health and safety and to enhance situational awareness of cyber threats across critical infrastructure sectors; and (3) in consultation with Sector Risk Management Agencies, the Department of Justice and other federal agencies promulgate regulations related to the mandated reporting of cybersecurity incidents.

How the Agency will view the effectiveness of existing security controls, the impact of cyber incidents, or the regulations it will promulgate and their impact remain to be seen.

What Should Companies Do Immediately?

To prepare, companies should first determine if the Act applies to them. If so, these companies should review their current incident response plans. These companies should review their plans to ensure their ability to identify when a substantial cyber incident has occurred and that they can report the existence of such an incident within 72 hours of discovery.

Companies should also update their incident response plans to capture the 10 key elements the Agency recommends organizations gather during an incident: (1) incident date and time; (2) incident location; (3) type of observed activity; (4) detailed narrative of event; (5) number of people or systems affected; (6) company/organization name; (7) point of contact details; (8) severity of event; (9) critical infrastructure sector if known; and (10) individuals informed. [1]

At Troutman Pepper, we understand the complexities of information technology and how it intersects with the changing regulatory landscape. Our team is dedicated to breaking down complex legal issues and providing guidance that the business and information technology/security can understand. We will continue to monitor these and other developments.

[1] See https://www.cisa.gov/sites/default/files/publications/Sharing_Cyber_Event_Information_Fact_Sheet_FINAL_v4.pdf?mod=djemCybersecruityPro&tpl=cy.