In case you are asked: the new Cyber Incident Reporting Act
1. Many organizations are pulled into Critical Infrastructure
2. There's nothing to worry about just yet
3. Stay informed and be ready to report...in about 3 years
We thought this short FAQ might be helpful in case you are asked about the Cyber Incident Reporting law that was signed this week.
On March 15, President Joe Biden signed into law the “Cyber Incident Reporting For Critical Infrastructure Act of 2022”. This was included in the $1.5 trillion Consolidated Appropriations Act 2022 spending package.
Should I be Worked Up Over This?
No, not yet. It is a law now, but the CISA director (currently Jen Easterly) has 2 years to create the specific rules. Then there’s 18 months after that to finalize them.
But you need to watch (we will help). Laws get publicity, but rules tend to trickle out unseen..
What does the new law require?
It requires critical infrastructure entities (see two down) and federal agencies to report cybersecurity incidents within 72 hours of the incident and within 24 hours if a ransomware payment is made.
Why did they do this?
It’s mostly about visibility for the government. Without reporting mandates, many compromises go unseen. If CISA knows about these things, it can help them understand trends, etc. Or, at least that’s the logic.
Is our Organization Critical Infrastructure?
You very well may be. The “President Policy Directive 21” defined 16 industries: https://www.cisa.gov/critical-infrastructure-sectors
Some unusual businesses (to me anyway) include entertainment facilities, sporting events, hotels, shopping malls, and arguably the entire healthcare and technology industries.
Who do I report to?
CISA. But remember, the formal "rules" aren't out yet. But you can always report to CISA today...right here: https://www.cisa.gov/reporting-cyber-incidents
What will I need to report?
Again, it’s not finalized, but the writing indicates you will need to include a description of relevant vulnerabilities, efforts taken to mitigate the attack, categories of data believed to have been accessed or acquired by an authorized person and any actor reasonably believed to be responsible for the incident. You would also be required to supplement information as “substantial new or different information becomes available.”
What is an incident?
The term “covered cyber incidents,” will be defined later by CISA. Right now, the law says, “A cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.”
Why two rules for incident reporting and ransomware payment?
There’s obviously a lot of consternation around paying ransomware…but it can be justified in certain circumstances for certain companies. They can’t say it's illegal for everyone, so instead they say you need to report payments. The ransomware reporting requirement applies to any payments, including situations that do not require incident reporting.
What if I don’t report?
CISA will subpoena you if they think you had an event or paid ransom and didn't report it. If you ignore that, bad things will happen to you. Again, CISA will define the rules over the next 24 months.
Anything else to know?
Whatever you report is exempt from Freedom of Information Act requirements. Whatever you submit is kept private. Again, they want you to report, so they are trying to take away risks to your business.