On March 15, 2022, President Biden signed the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA” or the “Act”) into law. The Act establishes significant new reporting requirements for companies that provide critical infrastructure. These reporting requirements apply to ransomware payments and other cybersecurity incidents, and non-compliance can potentially lead to regulatory enforcement action or criminal prosecution.
What Companies are Subject to CIRCIA?
The Act applies to “covered entities” which it identifies as those operating “in a critical infrastructure sector, as defined in Presidential Policy Directive 21, that satisfies the definition established by the Director [of CISA] in the final rule issued pursuant to section 2242(b).” While the final rule remains forthcoming, the critical infrastructure sectors listed in Presidential Policy Directive 21 are:
- Commercial Facilities
- Critical Manufacturing
- Defense Industrial Bases
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
This list addresses companies in a broad range of categories. Currently, there are no limitations in terms of company size or revenue, though this could change with the final rule.
What Does CIRCIA Cover?
Under CIRCIA, covered entities have two primary reporting obligations. The first applies to “covered cyber incidents,” while the second applies specifically to ransomware payments.
Covered entities must report all covered cyber incidents to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. This obligation applies whether an entity has actual knowledge of a covered cyber incident or “reasonably believes that [a] covered cyber incident has occurred.” What constitutes a “covered cyber incident” remains to be determined in the final rule to be issued under the Act, although the Act provides that a covered incident must minimally involve “substantial loss of confidentiality, integrity, or availability of [an] information system or network, or a serious impact on the safety and resiliency of operational systems and processes.”
Covered entities must report all ransomware payments to CISA within 24 hours. The Act defines such a payment as “the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.” If a covered entity makes a ransomware payment prior to reporting the associated covered cyber incident, then it must file a single report with CISA (provided that the report satisfies both deadlines). However, if a covered entity makes a ransomware payment after reporting a covered cyber incident, then a second report within 24 hours of the payment will be required.
In addition to meeting these reporting requirements, covered entities must also preserve all relevant data. Preservation procedures remain to be established in the final rule.
When Does CIRCIA Take Effect?
The effective date for CIRCIA’s reporting and data preservation requirements also remains to be determined pursuant to the final rule. Under the Act, CISA was provided 24 months from March 15, 2022 to publish a notice of proposed rulemaking and, then, the agency has an additional 18 months from the date of publication to release the final rule.
While CIRCIA might not take effect for months—or even years—companies that provide critical infrastructure will be well-served to preemptively evaluate the statute’s potential implications for their businesses. For companies that are likely to become subject to CIRCIA, implementing enhanced cybersecurity protocols, incident response measures, and data preservation policies and procedures will not only reduce the burdens of compliance in the future but also serve to more effectively mitigate their cybersecurity-related risk in the present as well.