On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which increased funding for the federal Cybersecurity and Critical Infrastructure Agency (CISA) and outlined new rules and requirements for companies and organizations to follow.
Notably, CIRCIA requires owners and operators of critical infrastructure to report cyber incidents to CISA within 72 hours and ransom payments within 24 hours. “Covered entity” means an entity in a Designated Critical Infrastructure Sector as defined by Presidential Directive 21, and CISA has also provided some general guidance on its website. CISA is required to implement regulations that define the types of events that constitute a “covered cyber incident” for reporting purposes, which must, at a minimum, include cyberattacks that: lead to a substantial loss to the confidentiality, integrity, or availability of an information system; seriously impact the safety or resiliency of operational systems; disrupt business or industrial operations due to certain types of attacks; or result in unauthorized access to an information system or otherwise impact business or industrial operations due to a compromise of the supply chain. The term “ransom payment” is defined to mean the “transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.”
Pursuant to CIRCIA, CISA has two years to issue proposed rules and definitions in this realm. However, in light of substantial increased Russian cyberattacks and the war in Ukraine, lawmakers may issue these rules earlier. Jen Easterly, director of CISA, was quoted as stating that “our critical infrastructure, our way of life is really under cyber assault all the time. And our current geopolitical crisis is only exacerbating this threat.”
The passage of CIRCIA continues a growing trend towards faster reporting obligations to federal regulators. As these reporting obligations are often measured in hours rather than days, companies in regulated fields such as critical infrastructure and financial services should be proactively ensuring that they are not only prepared to report, but that their cybersecurity programs are properly documented and will hold up to the higher levels of scrutiny we are likely to see in coming months and years.