We previously discussed the increasing focus of the Office of Foreign Assets Control (OFAC) of the US Department of the Treasury on ransomware in our September 23, 2021, October 7, 2021, and November 1, 2021 posts. On March 15, 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA or the Act) into law. Under its provisions, a broad range of private and public-sector entities operating in “critical infrastructure” sectors will for the first time have mandatory reporting obligations in connection with “cyber incidents” and ransomware attacks. Specifically, “covered entities” are required to report certain “substantial” cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of the event, and to report ransomware payments within 24 hours of payment.
Key details of the new cyber reporting regime remain unclear at present, such as the scope of “covered entities,” what constitutes a “substantial” cyber incident (triggering reporting obligations), and other details that define the scope of the new mandate. These details will only be determined in the regulations promulgated by CISA, a US federal agency created in November 2018. CISA has 24 months, or until March 15, 2024, to issue proposed regulations for CIRCIA, after consultation with Sector Risk Management Agencies, the Department of Justice, and other US federal agencies. See CIRCIA, § 2242(b)(1). After publication of the notice, CISA has 18 months to publish a final rule. Id. § 2242(b)(2).
While companies will not be required to comply with the reporting obligations under Act until the implementing regulations have been released and have taken effect, companies operating in “critical infrastructure” sectors (defined below) should be aware that significant revisions to their cybersecurity protocols may be required, including accounting for both event-based reporting and ongoing reporting obligations.
We summarize the key provisions of the Act below.
The Act defines “covered entities” as entities “in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that satisfies the definition established by [CISA]” in the final rule it will issue to implement the Act. See CIRCIA, § 2240(5). In other words, “covered entities” will fall within the sectors identified in Presidential Policy Directive 21 (PPD 21) issued by President Barack Obama in February 2013, but the precise scope of the term will only be determined by CISA in the implementing regulations when it has issued a definition of “covered entities.”
PPD 21 enumerates the following “critical infrastructure” sectors:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
CIRCIA imposes two distinct reporting obligations on “covered entities,” in connection with “covered cyber incidents” and “ransomware” attacks.
- Reporting “covered cyber incidents”
Covered entities will be required to report “covered cyber incidents” to CISA no later than 72 hours after the time the entity “reasonably believes” the incident occurred. See CIRCIA, § 2242(a)(1)(A), (B). The term “covered cyber incident” is defined as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by [CISA] in the final rule . . . .” Id. § 2240(4). The Act does not define the term “substantial.” CISA is tasked with issuing regulations that, among other things, provide a “clear description of the types of substantial cyber incidents that constitute covered cyber incidents.” Id. § 2242(b)(2).
However, the Act does indicate the “minimum” criteria that will define a “substantial covered cyber incident,” which include, but are not limited to, the following: ‘‘(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes; (ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability, against‘ (I) an information system or network; or (II) an operational technology system or process; or (iii) unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.” Id.
The precise contents of the report that must be filed in connection with cyber security incident will be determined by the regulations implemented by CISA. However, the Act indicates some of the details that should be included “to the extent applicable and available.” Id. § 2442(c)(4).
- Reporting “covered ransomware payments”
A covered entity that makes a “ransom payment” as the result of a “ransomware attack” against the covered entity must report the payment to CISA not later than 24 hours after the ransom payment has been made. The term “ransom payment” refers to “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.” CIRCIA § 2240(13). The term “ransomware attack” refers to “an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.” Id. § 2240(14).
Notably, the ransom payment reporting obligation is triggered even where the underlying ransomware incident does not constitute a “covered cyber security incident.” Id. § 2242(a)(2).
The precise contents of the report that must be filed in connection with a ransom payment will be determined by the regulations implemented by CISA. However, the Act indicates some of the details that should be included “to the extent applicable and available.” Id. § 2442(c)(4).
Supplemental reports and record-keeping
In addition to the reporting obligations noted above, covered entities must “promptly” submit “an update or supplement to a previously submitted covered cyber incident report” if the entity obtains (i) “substantial new or different information” regarding the incident or (ii) if the covered entity makes a ransom payment after submitting a covered cyber incident report. This obligation remains in effect “until such date that such covered entity notifies [CISA] that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.” Id. § 2242(a)(3).
Moreover, CIRCIA imposes record-keeping obligations. It provides that any covered entity “shall preserve data relevant to the covered cyber incident or ransom payment in accordance with procedures established in the final rule [issued by CISA.” Id. § 2242(a)(4). The extent of the record-keeping requirements under CIRCIA will become clear when CISA issues the implementing regulations.
Liability protections and enforcement
CIRCIA includes certain liability protections for entities reporting information to CISA. The Act also empowers CISA to enforce compliance in cooperation with the Department of Justice.
- Liability protections
The Act provides that federal and state governments “shall not use information about a covered cyber incident or ransom payment obtained solely through reporting directly to the Agency” in order to “regulate” the activities of that entity, including through an enforcement action. Id. § 2245(a)(5)(A). In addition, reports submitted under the Act must (1) be considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity; (2) be exempt from disclosure under FOIA (and comparable laws on the state or local level); (3) be considered not to constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection; and (4) not be subject to a rule of any Federal agency or department or any judicial doctrine regarding ex parte communications with a decision-making official. Id. 2245(b).
The Act provides for enforcement through an escalation procedure. First, if CISA “has reason to believe” that a covered entity experienced a covered cyber incident or made a ransom payment, CISA may request information from the entity. Id. § 2244(b). If the entity fails to respond within 72 hours, CISA may issue a subpoena to compel a response. Id. § 2244(c). If the entity fails to respond to the subpoena, CISA may refer the matter to the Department of Justice to bring a civil action against the entity to enforce the subpoena. Id.
* * *
We will continue to monitor developments. Please reach out to your usual contacts at Herbert Smith Freehills New York with any questions.