New federal reporting law passed for cybersecurity incidents and ransomware payments
On March 15, 2022, President Biden signed the 2022 Consolidated Appropriations Act into law, allocating $13.6 billion in funding as a way to “address Russia’s invasion of Ukraine and the impact on surrounding countries.” A significant portion of the Consolidate Appropriations Law, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“Reporting Act”), ushers in changes and advancements within the federal cybersecurity landscape.
The Reporting Act centers around new requirements directed to protect critical infrastructure within the United States. More specifically, the Reporting Act focuses on how critical infrastructure organizations (including, but not limited to financial, communications, information technology, energy, healthcare, food, water, and transportation sectors) and civilian federal agencies must report cyber incidents and ransomware payments directly to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”). Additionally, this Reporting Act sets out strict timing requirements for reporting cyber incidents and ransomware payments. The Reporting Act requires that any critical infrastructure organization also report the cyber incident to CISA no later than 72 hours after they reasonably believe that a cyber incident has occurred. This may also require that these entities produce and preserve evidence relating to the incident and alert the CISA with any updates or any significant or supplemental information that arises. Additionally, the Reporting Act also requires that any critical infrastructure organization that pays a sum of ransom to a threat actor must also report to CISA within 24 hours of delivering payment. Failure to alert CISA of such activity under the Reporting Act will generate significant penalties for non-compliance.
In addition to the newly implemented reporting requirements, CISA has now been tasked with collecting and analyzing the reported data and sharing this information with appropriate federal departments and agencies. Now, all federal agencies have the ability to view what has been reported to CISA relating to cyber incidents and ransom payments. Additionally, once a month CISA must generate a report and collaborate with the national cyber director, attorney general and director of national intelligence to brief on the cyber security threat landscape, analyzing new cyber trend threats and ransomware attacks.
The agencies within the critical infrastructure sphere are now tasked with determining how this new law affects their operations relating to data security and reporting. For example, healthcare and public health falls under the critical infrastructure sector and is therefore not exempt from the new Reporting Act requirements. This will not only expand the necessary reporting for such entities, as any “breach” or “security incident” outside of the HIPAA regulations must now be reported to CISA, but also shorten their reporting window. While healthcare and public health have already been identified as covered entities under this new law, we should anticipate that other critical infrastructure entities will be subject to the new stringent requirements and updated reporting windows under this Act.
While the Reporting Act is a significant advancement in the federal cyber law landscape creating uniformity amongst reporting standards there are still a number of unanswered questions relating to its scope and breadth.
We will continue to monitor the Reporting Act’s effect on federal reporting of cyber incidents and ransomware payments and advise once the reporting requirements have gone into effect.
