April 4, 2022
Cyber criminals have significantly increased the number and severity of their attacks against critical infrastructure, alarming members of the public and private sector alike. Of the organizations that manage critical infrastructure, 83% reported a cyber attack in 2021 alone. And after Russia’s invasion of Ukraine has prompted harsh sanctions from NATO members, there are growing concerns of retaliatory cyberattacks.To enhance the cybersecurity of critical infrastructure throughout the United States, the Cyber Incident Reporting for Critical Infrastructure Act was signed into law on March 15, 2022, after being approved by the House, and unanimously approved by the Senate. This Act is part of the Consolidated Appropriations Act, 2022 (H.R. 2471), which is an omnibus spending bill.
What Does This Change Mean for Organizations?
The Cyber Incident Reporting for Critical Infrastructure Act greatly expands the reporting obligations of certain organizations, and also expands the role of the Cyber and Infrastructure Security Agency (CISA). The new reporting obligations outlined in the Act will not take effect until the Director of CISA clarifies which organizations will be affected, which may take some time. However, the CISA’s current list of sectors it considers critical infrastructure include the following:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Bases
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors
- Materials and Waste
- Transportation Systems
- Water and Wastewater Systems
If your organization falls within any of these sectors, it’s best to assume you will be considered a “covered entity,” and this new regulation will affect you.
What Are the New Reporting Obligations?
- Any covered entity must report any “substantial cyber incident” to CISA within 72 hours. At present, CISA has not yet defined what constitutes a substantial cyber incident.
- Ransomware payments must be reported to CISA within 24 hours.
In addition, covered entities must provide information and preserve any data related to a substantial cyber incident.
When Does the Act Take Effect?
This Act will not take effect until key terms and requirements are better defined. CISA is required to submit a “notice of proposed rulemaking” within 24 months of the Act’s passage on March 15, 2022. A final rule must be issued within 18 months of the proposal. If CISA uses the full timeline, these requirements may not be implemented until September 15, 2025.
Good News for Financial Institutions
According to the Computer-Security Incident Notification Final Rule, which takes effect May 1, 2022, banking organizations are already required to notify its primary federal regulator within 36 hours of a cyber incident. If your organization is regulated by the FDIC, OCC, FED, and/or NCUA, it’s likely that complying with the Notification Rule will also be considered compliance with the Cyber Incident Reporting for Critical Infrastructure Act, as long as financial regulators will develop an information-sharing agreement with CISA. Or, to put it in simpler terms, if your organization is a financial institution, you should already be planning to comply with the Notifications Rule, so any added definitions or requirements with this new law should be fairly easy to accommodate.
Additional Federal Help
In addition to requiring timely reporting from many organizations, the Act also outlines many initiatives to enhance the federal government’s ability to respond to cyber attacks.
- The DHS will be required to lead a Cyber Incident Reporting Council to streamline reporting.
- CISA will be required to launch a Ransomware Vulnerability Warning Pilot Program to identify common vulnerabilities, and techniques to mitigate them.
- CISA will also establish a Joint Ransomware Task Force to coordinate a nationwide campaign against ransomware attacks and look for opportunities to cooperate with other nations.
If it’s likely that your organization will be a covered entity, continue to keep an eye on this new law, and how it might affect you. While this law may not take effect for quite some time, your organization should revisit its cybersecurity policies and procedures, and start preparing to meet these new obligations.
Finally, if you’re unsure whether or not your organization’s current cybersecurity programs and practices are sufficient, Marco has developed a cybersecurity checklist to assess whether or not your organization is following standard best practices as recommended by the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). If your organization is falling short, Marco’s cybersecurity experts can help.