Congress Imposes New 72-Hour Reporting Requirement for Cyber Security Incidents


By: David Cole and Heather Kuhn

President Biden’s promise to prioritize cybersecurity this year is beginning to take shape. On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (“Cyber Incident Reporting Act”). Under the new law, certain businesses that are as “covered entities” and which are considered “critical infrastructure” will now be required to report cyber incidents to the U.S. Department of Homeland Security (“DHS”) Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours and ransomware payments within 24 hours. The intent is to shore up protections around American critical infrastructure, particularly in the context of high-level incidents such as Colonial Pipeline and SolarWinds.

Who Is Covered?

The Cyber Incident Reporting Act requires a “covered entity” to report a “covered cyber incident” to CISA within 72 hours after it “reasonably believes” a covered cyber incident has occurred. The law, however, does not specifically define any of these terms. Instead, it provides some minimum parameters for these definitions and then calls on CISA to implement regulations that provide more detail and clearer definitions of which entities and incidents are covered.

In broad terms, the statute defines covered entities as those within a critical infrastructure sector, as defined in Presidential Policy Directive 21 (“PPD-21”). Under PPD-21, the following 16 critical infrastructure sectors were identified: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services, energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials and waste; transportation systems; and water and wastewater systems.

From this broad definition, CISA will have to implement regulations to more clearly define which businesses are covered by the statute, taking into consider the national security, economic, and public health and safety consequences of a cyberattack on the entity and the extent that a cyberattack will likely enable disruption of the reliable operation of critical infrastructure.

Timing and Substance of Reporting

Although the precise definitions of these terms remain uncertain for now, the actual reporting requirements are clearer and arise in two ways. First, a covered entity experiencing a covered cyber incident must report the incident to CISA within 72 hours after the covered entity reasonably believes the incident occurred. Second, if a covered entity makes any ransom payment (even if it is not in response to a covered incident), the entity must report the payment to CISA within 24 hours.

The specific manner and form of reporting will be outlined in the final regulations implemented by CISA. At a minimum, however, reporting will include a full description of the incident and vulnerabilities exploited. Organizations also will need to report what defenses were in place and if known, any information about responsible parties, and the types of information that may have been compromised. Ransom payment reporting will need to include the date of payment, ransom demand and payment instructions.

Enforcement Procedures

The new law also gives CISA enforcement powers, through subpoenas and civil enforcement suits against covered entities. If CISA believes that a covered cyber incident has occurred, it must first additional information from the covered entity to confirm whether a covered incident or ransom payment occurred. The covered entity has 72 hours to respond, after which time CISA may issue a subpoena to compel disclosure. If the covered entity still fails to respond, CISA may refer the matter to the Attorney General to bring a civil action, and a court may sanction the organization for failure to comply with the subpoena with contempt of court.

When Will the Reporting Requirements Begin?

While the Cyber Incident Reporting Act was passed this month, there is still time before it will go into effect and organizations have to follow it. As discussed above, CISA is tasked with defining several key terms including who is a “covered entity” and what is a “covered cyber incident.” As a result, the new reporting requirements will not go into effect until CISA finishes its rule making process. The rulemaking must begin within the next 24 months and end no later than 18 months after it starts.

But even though there is time, organizations within one of the critical infrastructure sectors should begin planning now by reviewing their incident response and reporting procedures. Be sure that you have your cyber insurance coverage in place, know your legal counsel and vendors that you will use, and how you will carry out any reporting requirements.

If you have any questions about the new law or how your organization can begin preparing, please contact one of the attorneys in our Data Security, Privacy & Technology practice group.