Biden Signs Into Law Critical Infrastructure Ransomware Payment And Cyber Incident Reporting – Technology

On March 15, 2022, President Biden enacted, through an omnibus spending package, the Cyber Incident
Reporting for Critical Infrastructure Act of 2022 (the
“Act”). The Act establishes two cyber incident
reporting requirements for “covered” critical
infrastructure entities: (1) a 24-hour requirement to report
ransomware payments to the U.S. Cybersecurity and Infrastructure
Security Agency (CISA) and (2) a 72-hour requirement to report all
covered cyber incidents to CISA. The reporting requirements will
take effect once CISA issues the necessary implementing
regulations. Most companies will need to build or improve their
incident reporting and crisis response plans to comply with these
tight requirements—such incident response plans are highly
advisable in general, and now more so ahead of the pending
regulatory requirements. 

 

Will the Act Apply to My Business?

The Act applies to “covered entities” in the sixteen United States critical infrastructure
sectors identified by CISA. These include, for example, certain
companies operating in the energy, financial services, and health
care sectors. It also includes contractors working in the Defense
Industrial Base. CISA is likely to further refine the poorly
defined concept of “covered entity” in the Act once it
takes up the necessary rulemaking for the implementing
regulations. 

 

What Are the Ransomware Payment Reporting Requirements?

The Act requires covered entities that make payments as
“the result of a ransomware attack” to report to CISA
within 24 hours. Reports must contain specific information about
the ransomware attack and the threat actors reasonably believed to
be responsible. The report must, at a minimum, include a
description of the attack; a description of the vulnerabilities,
tactics, techniques, and procedures, or “TTPs,” used to
perpetuate the attack; any identifying or contact information
related to each actor reasonably believed to be responsible for the
attack; the date and amount of the ransom payment; and the ransom
payment demand and instructions. Currently, many incident response
companies are reporting these details to law enforcement; whether
such dual tracking reports will be necessary after the CISA
reporting becomes mandatory will need to be evaluated. 

 

What Are the Cyber Incident Reporting Requirements?

The Act also requires covered entities to report any
“covered cyber incident” to CISA within 72 hours and to
“promptly” submit supplemental reports providing
updated or additional information about the incident, including
whether ransom payments are made after the submission of an initial
report, until the incident has fully resolved. Forthcoming CISA
regulations will also require covered entities to preserve these
reports for a certain period of time. This is similar to the
current incident reporting requirements imposed on defense
contractors through the Defense Federal Acquisition Regulations
Supplement, or DFARS. “Covered cyber incidents,” as the
Act defines, include “substantial” cyber incidents that
involve a substantial loss of confidentiality, integrity, or
availability of information systems or networks, or a serious
impact on the safety and resiliency of operational systems and
processes; a disruption of business or industrial operations,
whether on an information system or network or an operational
technology system or process; or unauthorized access or disruption
of business or industrial operations due to loss of service
facilitated through, or caused by, a compromise of a third-party
provider or by a supply chain compromise. Notably, the Act does not
require reporting for an “occurrence that imminently, but not
actually, jeopardizes” an information system or the
information it houses. 

 

What Should My Company Do?

Companies that believe they may be covered by the Act should
examine their cybersecurity and incident reporting policies and
procedures. Responding to a cybersecurity incident can be
challenging and time-intensive. To meet these quick reporting
deadlines, it is highly encouraged that companies implement
incident response plans and practice executing them. A few
recommended steps include designating response personnel, creating
notification templates, and conducting training exercises to gauge
incident responsiveness.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States