In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework.
Included in SACA is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), which will create new reporting obligations with very short deadlines for businesses and government entities that operate in certain critical infrastructure sectors, as defined by the Cybersecurity and Infrastructure Security Agency (CISA). The critical infrastructure sectors identified by CISA encompass industries ranging from energy to healthcare. The Act assigns the director of CISA 24 months to publish a notice of proposed rulemaking and permits an additional 18 months after publication of the proposed rule before a final rule must be issued.
What Should Companies and Organizations Be Doing Now?
Although there is some time before the final rule is issued, it is important that organizations, even those outside the 16 critical infrastructure sectors, use this time to examine their own cybersecurity programs and safeguards to ensure they satisfy the new requirements, especially the 72-hour notice deadline, as the Act’s reporting requirements may become the standard for other cyber incident reporting laws.
So if your company has not reviewed your incident response plan recently, or has not conducted a tabletop exercise or simulation to test your plans, now is the time.
In addition, with so many disparate interests, the forthcoming rule-making period is a unique opportunity for businesses to weigh in on the future of U.S. cybersecurity law.
Below are some highlights of the new law.
Which Companies and Organizations Does the Act Apply To?
The Act’s reporting requirements apply to “covered entities.” Although we will have to wait for the final rule to obtain the official definition of “covered entities,” the Act describes them broadly as companies or organizations involved in one of the following 16 critical infrastructure sectors:
- Commercial facilities.
- Critical manufacturing.
- Defense industrial base.
- Emergency services.
- Financial services.
- Food and agriculture.
- Government facilities.
- Healthcare and public health.
- Information technology.
- Nuclear reactors, material and waste.
- Transportation systems.
- Water and wastewater systems.
Incidents That Trigger Notification Obligations
While the final rule will hopefully provide more specificity, the occurrence of any of the following will trigger a reporting obligation:
- A substantial loss of confidentiality, integrity or availability of such information system or network or a serious impact on the safety and resiliency of operational systems and processes.
- A disruption of business or industrial operations, including a denial of service attack, a ransomware attack or an exploitation of a zero-day vulnerability against an information system or network, or an operational technology system or process.
- Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, a managed service provider or another third-party data hosting provider, or by a supply chain compromise.
Further, SACA asks that covered entities consider the sophistication of tactics, the number of individuals involved and the potential impact on control systems in determining whether the incident meets the above criteria.
Once a cyber incident has been discovered, covered entities are on the clock. Those of us who advise clients through events such as a ransomware attack know how strenuous the first few days are for organizations. The new mandated reporting requires organizations to notify CISA within 72 hours of the covered entity’s first awareness of the incident and provide additional notice to CISA within 24 hours of a ransom demand being paid. Fortunately, supplemental reports appear welcome, which demonstrates that CISA does not expect victims to have a comprehensive understanding of the incident in the first 72 hours.
Potential Consequences for Missed Notification Deadlines
Businesses and organizations that fail to comply with these reporting requirements may be subject to a subpoena from CISA and a potential referral to the Department of Justice. Section 2244(f) exempts only state, local, tribal and territorial government entities from enforcement actions.
While it is still unclear how aggressive enforcement actions may be, this carrot-and-stick approach will likely garner compliance. As an additional measure, the legislation establishes protections for reports submitted in response to applicable obligations or under the legislation’s provisions for voluntary disclosures. The reports will:
- “[Be] considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity.”
- “[Be] exempt from disclosure under [the Freedom of Information Act] as well as any provision of State, Tribal, or local freedom of information law, open government law, open meetings law, open records law, sunshine law, or similar law requiring disclosure of information or records.”
- “[Be] considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.”
- “[N]ot be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official.”
Potential Exemptions from the Act’s Reporting Requirements
SACA’s reporting requirements may not apply to entities that are already required by law, or other enforcement mechanism, to report the same information to another federal agency within a “substantially similar time frame.” However, SACA does not provide a definitive list of the sectors or types of notifications to agencies that are exempt.