Sounding the Alarm: New Federal Law Will Mandate the Reporting of Cybersecurity Incidents Involving Critical Infrastructure – What Companies Need to do now to be Prepared

In response to increased and persistent cybersecurity threats to American infrastructure, Congress passed the Strengthening American Cybersecurity Act (SACA), which President Joe Biden signed into law on March 15. SACA is likely the first of many steps toward a federal privacy and breach notification framework.

Included in SACA is the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), which will create new reporting obligations with very short deadlines for businesses and government entities that operate in certain critical infrastructure sectors, as defined by the Cybersecurity and Infrastructure Security Agency (CISA). The critical infrastructure sectors identified by CISA encompass industries ranging from energy to healthcare. The Act assigns the director of CISA 24 months to publish a notice of proposed rulemaking and permits an additional 18 months after publication of the proposed rule before a final rule must be issued.

What Should Companies and Organizations Be Doing Now?

Although there is some time before the final rule is issued, it is important that organizations, even those outside the 16 critical infrastructure sectors, use this time to examine their own cybersecurity programs and safeguards to ensure they satisfy the new requirements, especially the 72-hour notice deadline, as the Act’s reporting requirements may become the standard for other cyber incident reporting laws.

So if your company has not reviewed your incident response plan recently, or has not conducted a tabletop exercise or simulation to test your plans, now is the time.

In addition, with so many disparate interests, the forthcoming rule-making period is a unique opportunity for businesses to weigh in on the future of U.S. cybersecurity law.

Below are some highlights of the new law.

Which Companies and Organizations Does the Act Apply To?

The Act’s reporting requirements apply to “covered entities.” Although we will have to wait for the final rule to obtain the official definition of “covered entities,” the Act describes them broadly as companies or organizations involved in one of the following 16 critical infrastructure sectors:

Incidents That Trigger Notification Obligations

While the final rule will hopefully provide more specificity, the occurrence of any of the following will trigger a reporting obligation:

Further, SACA asks that covered entities consider the sophistication of tactics, the number of individuals involved and the potential impact on control systems in determining whether the incident meets the above criteria.

Notification Timeline

Once a cyber incident has been discovered, covered entities are on the clock. Those of us who advise clients through events such as a ransomware attack know how strenuous the first few days are for organizations. The new mandated reporting requires organizations to notify CISA within 72 hours of the covered entity’s first awareness of the incident and provide additional notice to CISA within 24 hours of a ransom demand being paid. Fortunately, supplemental reports appear welcome, which demonstrates that CISA does not expect victims to have a comprehensive understanding of the incident in the first 72 hours.

Potential Consequences for Missed Notification Deadlines

Businesses and organizations that fail to comply with these reporting requirements may be subject to a subpoena from CISA and a potential referral to the Department of Justice. Section 2244(f) exempts only state, local, tribal and territorial government entities from enforcement actions.

While it is still unclear how aggressive enforcement actions may be, this carrot-and-stick approach will likely garner compliance. As an additional measure, the legislation establishes protections for reports submitted in response to applicable obligations or under the legislation’s provisions for voluntary disclosures. The reports will:

Potential Exemptions from the Act’s Reporting Requirements

SACA’s reporting requirements may not apply to entities that are already required by law, or other enforcement mechanism, to report the same information to another federal agency within a “substantially similar time frame.” However, SACA does not provide a definitive list of the sectors or types of notifications to agencies that are exempt.