Prompt, consistent and mandatory reporting on cyber breaches is a great step forward. But additional legislation may be required to make sure the ultimate goals can be achieved. The Cyber Incident Reporting for Critical Infrastructure Act of 2022, nestled within the Consolidated Appropriations Act of 2022, was signed into law by President Biden on March 15. It’s a step forward from today’s ad hoc, industry-specific guidance for voluntary disclosures by companies that have experienced cyber attacks. Cyber attackers often have an advantage: Because responders don’t share all the necessary information, they can’t act quickly and respond to attacks in concert. The reporting act aims to remove a piece of that advantage by requiring companies that are attacked to report significant cyber incidents and offering protections incentivizing them to report.
| What to report | Who needs to report | To whom | By when |
|---|---|---|---|
| Substantial cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States, as determined by the Secretary of the Department of Homeland Security. | Entities in 16 critical infrastructures defined in Presidential Policy Directive 21, including financial services, information technology, energy, healthcare and public health, food and agriculture, critical manufacturing, chemicals, communications, defense industrial base, emergency services, etc. (“covered entity”). | Cybersecurity and Infrastructure Security Agency (CISA) | Not later than 72 hours after the affected entity reasonably believes that the covered cyber incident has occurred. Substantial new or different information or a ransom payment after submitting a covered cyber incident report should be reported until the cyber incident at issue has concluded and has been fully mitigated and resolved. |
| Ransom payment, whether or not the cyber incident is a covered incident defined above. | Covered entity that made the payment | CISA | Not later than 24 hours after a payment is made. |
An important way to view this law. Virtually every American business could be affected. You should pay attention to the rulemaking process and update your plans to account for the new requirements. Consider the new reporting requirement alongside the effective ways you get government assistance on cyber incidents today. Make no mistake: The requirement to report within 72 hours of a significant cyber incident should not stop you from working with your partners in government to get the help you need more quickly. Experience has shown that much can be done within 24 hours of discovery of an incident. Companies should form and maintain robust relationships with law enforcement contacts in the FBI and US Secret Service (USSS) who can help you in real time to stop an attack from doing more damage and bringing the attackers to justice. Across a number of regulatory fronts, it’s becoming increasingly important for companies to enhance their breach reporting capabilities. Public companies, for example, will likely face enhanced cyber incident reporting requirements, as defined in the Securities and Exchange Commission (SEC) proposal announced on March 9. The proposal would require, within four business days after a public company has determined that it has experienced a material cyber incident, that it disclose the incident in new item 1.05 of Form 8-K. According to the proposal, materiality, not the occurrence of the cyber incident, triggers the required disclosure of information such as the nature and scope of the incident; any data stolen, altered, accessed or used for unauthorized purpose; the effect of the incident on the company’s operations; and remediation efforts.