Legally Mandatory to Report on Cyber Security Incidents
The bill also requires CISA to provide, through the development of rules, a clear description of the nature of significant cyber incidents that constitute a covered cyber incident. CISA`s description includes at least the following: However, Congress did not explicitly define “covered entities” to include every entity in these critical infrastructure sectors, suggesting its intention that a subset of these entities be subject to these cyber incident reporting requirements. In deciding which entities to cover, CISA must consider the national impact of a cyberattack on the entity on national security, the economy, public health and security, and the extent to which a cyberattack is likely to disrupt the reliable operation of critical infrastructure. The specific nature and form of the reports are defined in the final regulations of the CISA. However, the report shall include at least a full description of the incident and the vulnerabilities exploited. Organizations should also report the defenses in place and, if known, information about the parties responsible and the types of information that may have been compromised. Ransom payment reports should include payment date, ransom note, and warrants. 3 This provision therefore suggests that not all ransomware attacks are considered a covered cyber incident. (1) Conduct a review of evidence of compromise of covered defense information, including, but not limited to, identifying compromised computers, servers, specific data, and user accounts.
This verification shall also include an analysis of the contractor`s affected information systems that were part of the cyber incident and other information systems on the contractor`s network(s) that may have been accessed following the incident to identify covered defence information that was compromised or that affects the contractor`s ability to provide mission-critical support; And the law could create confusion and raise questions about how this reporting requirement relates to the process of getting government assistance in responding to an attack. Integrating additional legislation into existing effective information exchanges and public-private partnerships could reduce this confusion. Companies that fail to comply with cyber incident and/or ransomware payment reporting obligations may be subject to prosecution. Under the law, CISA has the right to request information from entities suspected of ensuring non-compliance. If a company does not comply with an initial request for information, CISA may use subpoenas to obtain the information. If a company fails to comply with the subpoena, CISA can refer the case to the U.S. Attorney General for civil action to enforce the subpoena, and a court can punish failure to comply with the subpoena issued in contempt of court. Gibson Dunn`s lawyers are available to answer any questions you may have about these developments.
Please contact the Gibson Dunn lawyer you typically work with, the authors, or a member of the firm`s privacy, cybersecurity, and data innovation practice: the rulemaking will also delve deeper into the nature and form of the reports. A description of the vulnerabilities exploited and the security measures in place, as well as the tactics, techniques and procedures used during the incident. Under CIRCIA, cyber incident and ransom reports, communications or documents prepared for the “sole purpose” of preparing and filing such reports cannot be “received, discovered or otherwise used as evidence in any legal proceeding, hearing or other proceeding.” This “single-purpose language” is important because companies often create and store data related to a cybersecurity event, including the payment of a ransom, for multiple purposes (such as insurance claims), and these dual-use purposes could outweigh the scope of this liability protection. The bipartisan bill passed Congress last week and is part of the Senate`s $1.5 trillion funding bill designed to give the government greater insight into the current threats facing U.S. businesses. In exchange for reporting serious cases of cybercrime, the provision aims to help businesses reduce the impact of these online attacks and prepare for breaches that may occur in the future. (f) Where the Contractor engages a third-party service provider for information system security services, the Service Provider may report cyber incidents on behalf of the Contractor. Congress has delegated to CISA significant authority to develop and implement regulations defining the scope and applicability of CIRCIA. IARC gives CISA 24 months to publish its first notice of proposed regulations and an additional 18 months from the notice of publication of its final regulations, although CISA may expedite its rule-making process. However, the CISR contains important reporting thresholds, liability protection, legal privileges, and regulatory restrictions that cannot be replaced by CISA in the regulatory process. These provisions are intended to promote compliance with the law and increase the quantity and quality of cyber incident reporting. The Cyber Incident Reporting Act for Critical Infrastructure requires owners and operators of critical infrastructure – such as water and utilities, health care organizations, certain IT providers, etc.
– submit reports of cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The law provides liability protection for filing reports to promote compliance, but failure to comply can result in civil action. The law also requires the government to analyze, anonymize and share information in reports to give agencies, Congress, businesses, and the public a better view of the cyber threat landscape. The Cyber Incident Reporting Act for Critical Infrastructure requires affected businesses to provide updated and additional reports when new or different material information becomes available until the company notifies CISA that the cyber incident has been completed and fully mitigated and resolved. This provision can require companies to submit multiple reports to CISA while managing a cyberattack and patching their systems. [2] H.R. 2471 § 2242(c)(1). This provision provides that, in promulgating the final rule defining “covered undertakings”, CISA Director shall consider the impact of a potential cyberattack on the undertaking on national security, economic security and public health and safety, the likelihood that such a facility could be targeted, and the extent to which a cyberattack disrupts the reliable operation of critical businesses. Infrastructure must be taken into account.
Given some reporting concerns, the Act protects reporting companies from certain responsibilities related to the submission of mandatory or voluntary reports. Under the law, submitted reports of cyber incidents and ransom payments may not be used by CISA, other federal agencies, or any state or local government to regulate the activities of the relevant entity that filed the report, including through enforcement actions. [14] (2) Entities that can be used to help diagnose, detect or mitigate cyber incidents; It helps gather knowledge for better cyber practices. The law requires CISA to organize, aggregate, and anonymize the information contained in the reports in order to gather a range of actionable information for the private sector, including cybersecurity research organizations. In this way, rapid and consistent transparency brings even more benefits: better situational awareness, better cyber practices and enhanced collective (private-public) cyber defence. Businesses, investors, customers, employees and society as a whole will better understand the cyber risks they face and make better decisions. As the U.S. continues to support Ukraine, the landmark bill is part of a broader effort by the Biden administration to defend the country`s digital infrastructure from the threat of Russian cyberattacks. While most of the U.S. has so far remained largely liberated from Russian cyber power, the country`s largest financial institutions have not been so lucky. Banking giants such as JP Morgan, Goldman Sachs, Citigroup and Bank of America have repeatedly come under attack on their infrastructure, with executives saying recent waves of intrusion attempts have been different. CICIRA recognizes that an organization designated by CISA as a “covered entity” may be subject to other federal data breach reporting requirements – such as regulations for defence contractors and healthcare organizations – which may result in cybersecurity reporting requirements.
CCRA sought to remedy this situation by creating a Cyber Incident Reporting Council comprised of a broad range of federal organizations with the authority to “coordinate, mitigate and harmonize” the various incident reporting requirements. In particular, the Commission is required to analyze existing e-reporting requirements (such as DFARS 252.204-7012, Health Insurance Portability and Accountability Act Breach Notification Rule) and ensure that these requirements “avoid conflicting, redundant or onerous requirements.” Although the Cyber Incident Reporting Act was passed this month, there is still time before it comes into force and businesses must comply.