U.S. Congress Passes Cyber Incident and Ransom Payment Reporting Requirement

Keep up with the latest legal and industry insights, news, and events from MoFo

Energy, financial services, food and agriculture, healthcare, information technology, defense industrial base, and other critical infrastructure entities in the United States will face new cyber incident reporting requirements as a result of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the Act), enacted by the U.S. Congress on March 10, 2022. The Act, among other things, requires critical infrastructure entities to report cyber incidents to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and to report ransom payments in response to ransomware attacks within 24 hours. The Act also includes several provisions that bolster the role of CISA as the central coordinating agency of information related to cyber attacks.

The Act, which was included in the latest $1.5 trillion government funding bill, is now headed to the President’s desk, where a signature is expected this week. However, even after the Act becomes law, a number of key provisions of the Act—including the precise scope of critical infrastructure entities to which the requirement will apply and the types of cybersecurity incidents that will require reporting—will need to be further defined through CISA regulations.

Cyber Incident Reporting Requirements

The Act mandates incident reporting for critical infrastructure entities that suffer cyber incidents or that make ransom payments in response to ransomware attacks.

The Act requires a “covered entity” to report a “covered cyber incident” to CISA within 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred. If a covered entity makes a ransom payment in response to a ransomware attack, the covered entity must report the payment to CISA within 24 hours. Covered entities must submit updates to prior reports if new information becomes available or if a ransom payment subsequently is made. Additionally, reporting entities must preserve data relevant to the covered cyber incident or ransom payment.

The Act directs the CISA Director to define what constitutes a “covered entity” and “covered cyber incident.” A “covered entity” may include an entity in one of the 16 critical infrastructure sectors defined in Presidential Policy Directive 21, taking into consideration the consequences that a compromise of such an entity could cause to national security, economic security, or public health and safety, and the potential impact of the disruption of reliable operation of critical infrastructure. A “covered cyber incident” includes a “substantial” cyber incident that causes “a substantial loss of confidentiality, integrity, or availability” of information systems, “a disruption of business operations,” or “unauthorized access or disruption of business or industrial operations . . . caused by[] a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”

The below chart outlines the reporting requirements prescribed by the Act:

Bill Element		Cyber Incident Reporting for Critical Infrastructure Act of 2022
Covered Entity		An entity in a critical infrastructure sector, as defined by Presidential Policy Directive 21, that meets the final definition established by the CISA Director, which shall be based on: “the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety”; and “the extent to which damage, disruption, or unauthorized access to such an entity . . . will likely enable the disruption of the reliable operation of critical infrastructure.”
Receiving Agency		CISA; but information may be shared with other federal agencies for cybersecurity and other purposes and anonymized information may be shared with critical infrastructure entities and the public.
Covered Incident		To be defined in CISA regulations; at minimum, a “covered cyber incident” is “a substantial cyber incident experienced by a covered entity that satisfies criteria established by the [CISA] Director,” including, at minimum: “a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes”; “a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”; “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”
Reporting Timeline		For covered cyber incidents, within 72 hours after the covered entity reasonably believes such incident has occurred. For ransom payments, within 24 hours of making the payment. Updates are required if and when new information becomes available or if a ransom payment is subsequently made.
Report Content:		To the extent applicable and available:
	Intrusion	Covered Cyber Incidents: Description of the incident, including affected information systems; a description of the unauthorized access; the estimated date range of the incident; the impact to operations; and categories of information accessed or acquired by unauthorized access. Ransom Payments: Description of the ransomware attack, including the date range of the attack; date of the ransom payment; ransom payment demand, including type of currency or commodity requested; ransom payment instructions; and amount of the ransom payment.
	Methods	Description of the vulnerabilities exploited and TTPs used to conduct intrusion or ransomware attack.
	Actor	Information that could help identify actor.
	Reporting Entity	Contact information, including taxpayer identification number of impacted entity and authorized agent or third-party service provider acting at the direction of the impacted entity.

“Carrot and Stick” Provisions

The Act includes a number of incentives to drive compliance with the newly established reporting requirements:

CISA may issue requests for information and subpoenas to non-compliant entities. The Act authorizes CISA to send “requests for information” to entities it believes may have an obligation to submit a notification, and if those covered entities fail to respond within 72 hours, the Act authorizes CISA to issue subpoenas. Information obtained pursuant to such subpoenas (which can only be issued if an entity fails to comply with its reporting obligation) may be shared by CISA with the Department of Justice (DOJ) and other federal agencies, so that those agencies can pursue regulatory enforcement actions or criminal prosecution against covered entities. By contrast, information that is shared proactively by an entity may only be used for limited cybersecurity purposes.

The Act includes protections for information shared with the U.S. government. In an effort to address private sector criticism of reporting obligations, the Act includes a number of protections for the information shared pursuant to the Act, including:

liability protection for covered entities related to the submission of a report pursuant to the Act;
privacy and civil liberties protections to limit the dissemination of any personal or identifying information collected in conjunction with reporting requirements to state, local, and tribal governments, the private sector, cybersecurity researchers, and the general public;
an exemption under the Freedom of Information Act for reports and provisions to ensure that reports to CISA do not undermine trade secret and attorney-client privilege protections; and
a restriction on reports and work product created for the sole purpose of preparing such report being received in evidence, subject to discovery, or otherwise used in any trial, hearing, or other proceeding.

A Central Role for CISA in Cyber Incidents

The Act also contains a number of provisions that will centralize the federal government’s cyber incident response and coordination with the private sector in CISA, including the establishment of a Cyber Incident Review Center as a central clearinghouse for cyber incident reporting, a ransomware vulnerability pilot program focused on identifying security vulnerabilities exploited by ransomware actors, and a Joint Ransomware Task Force focused on disrupting ransomware actors.

Cyber Incident Review Center. The Act creates the Cyber Incident Review Center, housed within CISA, to receive and analyze reports of cyber incidents and ransom payments. The Center is tasked with coordinating information sharing about ongoing cybersecurity incidents and cyber threat trends among relevant government agencies and through the private sector. Quarterly, the Center will also publish unclassified, public reports based, in part, on the unclassified information contained in covered cyber incident reports. The Center will also analyze ransomware attacks to support law enforcement operations to identify, track, and seize ransom payments made with virtual currencies. Finally, the CISA Director, in consultation with the National Cyber Director, Attorney General, and Director of National Intelligence, must provide congressional leadership with a monthly report assessing the cyber threats facing federal agencies and covered entities.

Ransomware Vulnerability Warning Pilot Program. The Act requires CISA to establish a Ransomware Vulnerability Warning Pilot Program dedicated to identifying information systems that contain security vulnerabilities associated with common ransomware attacks. The program will also allow CISA to notify owners of vulnerable systems of their security vulnerability.

Joint Ransomware Task Force. The Act calls on CISA to establish a Joint Ransomware Task Force to coordinate a campaign against ransomware attacks in consultation with foreign partners, other federal agencies, and private sector entities. The Task Force’s responsibilities include:

disrupting specific ransomware actors, associated infrastructure, and finances;
identifying a list of highest threat ransomware entities updated on an ongoing basis;
facilitating coordination and collaboration between federal and private sector entities to improve federal actions against ransomware threats; and
creating after-action reports that identify successes and failures of federal actions against ransomware threats.

Conclusion

The Act represents a significant expansion in the federal requirements for private sector reporting of cyber incidents, but many of the requirements in the Act remain to be scoped through CISA regulations. This is a rapidly changing area of law with significant implications for entities that own or operate critical infrastructure. Given the significant reporting ramifications of this legislation, we will continue to monitor it closely as its provisions are implemented via regulation.

Rachael Hanna and Sonja Swanbeck, Law Clerks in our Washington, D.C. office, contributed to the writing of this alert.

Tina D. Reynolds
Partner

Practices

Privacy + Data Security