What Critical Infrastructure Should Do: Mandatory Cybersecurity Incident Reporting for Critical Infrastructure is Coming and CISA Encourages Voluntary Reporting Now

April.15.2022

The Cybersecurity and Infrastructure Security Agency (“CISA”) released a “Sharing Cyber Event Information” Fact Sheet on April 7 that may preview its implementation of the new federal government cyber incident reporting requirement signed into law on March 15—the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Section Y within the Consolidated Appropriations Act). Many key details of the reporting requirement are subject to future rulemaking by CISA, including the critical infrastructure organizations to which the reporting requirements will apply; what cyber incidents must be reported (i.e., “substantial” cybersecurity incidents); what information critical infrastructure organizations will have to report; and the mechanics of submitting the reports. The critical infrastructure industry has time to prepare as the reporting requirement will not take effect until the rulemaking process has been completed, although CISA encourages voluntary reporting now. Although the proposed rules are required to be issued in the rulemaking progress within 24 months, with the final rule due 18 months thereafter, organizations should anticipate that CISA will move more quickly, and that the final rule could be issued as early as early 2023.

Statutory Framework and CISA’s Recommendations for Current Reporting Under its Fact Sheet

The statute provides a framework that gives a picture of what can be expected when the reporting requirement becomes mandatory. While CISA has not yet started the rulemaking process, the CISA Fact Sheet provides recommendations for voluntary reporting starting now.

Cyber Incident & Ransom Payment Reporting Framework				CISA Fact Sheet
Who Has to Report?	Entities that operate in a critical infrastructure sector^[1]:			Critical Infrastructure Owners and Operators. (This term is not defined in the Fact Sheet, but CISA’s existing guidance defines Critical Infrastructure Sectors as the 16 sectors identified in Presidential Policy Directive 21, which mirrors the Act.) Federal, State, Local, Territorial, and Tribal Government Partners
	chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services; energy;	financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.
	Covered entities may use a third party to submit the required report.
	Substantial Cyber Incident		Ransom Payment
What Events Have to Be Reported?	The occurrence of “substantial” cyber incidents^[2], including: Substantial loss of confidentiality, integrity, or availability of information system or network; Serious impact on the safety and resiliency of operational systems and processes; Disruption of business or industrial operations (e.g., denial of service, ransomware, or zero-day vulnerability exploitations affecting information systems, networks, or operational technology system or process); and Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.		The payment of ransom as the result of a ransomware attack.	Unauthorized access to your system Denial of Service (DOS) attacks that last more than 12 hours Malicious code on your systems Targeted and repeated scans against services on your systems Repeated attempts to gain unauthorized access to your system Email or mobile messages associated with phishing attempts or successes Ransomware against Critical Infrastructure
What Details Have to Be Reported?	For a substantial cyber incident, details may include^[3]: A description of the incident that includes: identification and a description of the function of the affected information systems, networks, or devices affected; a description of the unauthorized access; dates of event; and the impact to operations. Description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques, and procedures used to perpetrate the covered cyber incident. Any identifying or contact information for the actor responsible. Identification of the category or categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person. Business information for the impacted entity. Contact information that CISA may use to contact the entity or authorized agent.		For a ransom payment^[4]: Date of ransom payment. Amount of ransom payment. Ransom payment demand, including the type of virtual currency or other commodity requested. Ransom payment instructions. Description of the ransomware attack, including the estimated date range of the attack. Description of the vulnerabilities, tactics, techniques, and procedures used. Any identifying or contact information for the actor responsible. Business information for the impacted entity. Contact information that CISA may use to contact the entity or authorized agent.	Incident date and time Incident location Type of observed activity Detailed narrative of the event Number of people or systems affected Company/Organization name Point of Contact details Severity of event Critical Infrastructure Sector (if known) Anyone else informed by the reporting entity
When Does It Have to Be Reported?	Within 72 hours from when the entity “reasonably believes” that a “substantial” cyber incident has occurred.		Within 24 hours of making a ransom payment.	CISA encourages reporting “quickly” so information can be used to “render assistance and provide a warning to prevent other organizations and entities from falling victim to a similar attack.”
	Prompt updates or supplemental reports required if “substantial new or different information becomes available,” up until Agency is notified that the covered incident has been fully mitigated and resolved.
Where Does It Have to Be Reported?	To CISA via a user-friendly web-based form.^[5]			Send an email to [email protected] OR Use CISA’s Incident Reporting Form if you are a Federal or Critical Infrastructure partner that has completed one previously OR Send phishing email to [email protected]

The statute also imposes a duty to preserve data relevant to the covered incident or ransom payment in accordance with the final rule.

Enforcement Mechanism

The Act includes an enforcement mechanism, which is new to CISA which previously had no relevant enforcement powers and/or subpoena powers. It now gets both. Specifically, if the CISA Director has reason to believe that a covered entity failed to submit a required report, the Director may obtain information about the covered cyber incident or ransom payment by engaging the covered entity directly. If after 72 hours, no response or an inadequate response is received, then CISA may seek the information via a subpoena. If an entity fails to comply with a subpoena, CISA can refer the matter to the Attorney General to bring a civil action. The enforcement action and subpoena powers do not apply to covered entities that are State, local, Tribal or territorial government entities.

If the Director determines that information provided in response to a subpoena may constitute grounds for a regulatory or criminal action, then the Director may provide such information to the Attorney General or head of the applicable regulatory agency. By contrast, the information contained in a voluntary report or in response to direct inquiry from CISA cannot be used as the basis for such actions.

Information Sharing Provisions

Information received in the reports will be processed and shared by CISA with a number of different groups.

Federal Government: Within 24 hours of receiving a report, CISA will need to make the information available to “appropriate Sector Risk Management Agencies and other appropriate federal agencies.” This interagency sharing is subject to specific requirements to be set by the President, including what agencies are to be included in the information sharing. The FBI and Department of Justice, who had been vocal with their frustration about not being included as direct report recipients, are likely to be provided with reports through this provision. Information from the reports can also be shared with federal departments and agencies to identify and track ransom payments. CISA will provide a monthly briefing to congressional leadership regarding the national cyber threat landscape.

Information Sharing Groups: Anonymized information about context, threat indicators, and defensive measures will be shared with information sharing cyber groups, such as state and local governments, cyber incident response firms, and security researchers.

Critical Infrastructure Owners and Operators: Reported information can be shared, on a voluntary basis, between relevant critical infrastructure owners, particularly where such information relates to ongoing threats, a security vulnerability, or mitigation techniques that may allow entities to prevent cyber incidents.

General Public: CISA can use information from significant incidents, including ransomware attacks, and “identify and disseminate ways to prevent or mitigate similar incidents in the future.” A public, unclassified report will be published quarterly with “aggregated, anonymized observations, findings and recommendations”.

Protections for Reported Information

The Act provides for protection of the reported information in a variety of contexts. There is a prohibition on the use of information obtained solely through reports submitted under the Act to regulate the reporting entity. The submission of a report cannot serve as the basis for a cause of action. Reports and documents relating to their preparation, drafting, or submission are not subject to discovery and cannot be received into evidence in a trial or proceeding. Reporting will not constitute a waiver of any applicable privilege or protection provided by law. Information in a report can be designated as commercial, financial, and proprietary information of the covered entity. Reports will not be subject to Freedom of Information Act requests or any other public disclosure provision.

What Critical Infrastructure Should Do Now

While CISA has not formally begun the rulemaking process that will make the reporting provisions mandatory, organizations should immediately.

Consider whether, based on the guidance issued to date, they are part of the “critical infrastructure.”
Determine whether and when voluntary reporting might be appropriate before the requirement becomes mandatory.
Stay informed about the rulemaking process and consider submitting comments during the rulemaking process to provide feedback regarding any concerns resulting from the proposed reporting requirements and mechanics.
Review the company’s incident response plan and strategize with internal and external incident response resources about operationalizing a 72-hour (24-hour when a ransom payment is made) reporting requirement and a requirement to promptly supplement reports.
Analyze supplier and vendor cyber incident reporting requirements and consider revisions for key entities.

Orrick’s Cyber, Privacy, & Data Innovations team is ready to assist critical infrastructure entities in reviewing their cyber security programs in light of this announced reporting framework and designing practical, forward-thinking strategies to aid with reporting compliance.

^[1] Subject to rulemaking by CISA.

^[2] Subject to rulemaking by CISA.

^[3] Subject to rulemaking by CISA.

^[4] Subject to rulemaking by CISA.

^[5] Subject to rulemaking by CISA.

Authors

Thora Johnson パートナー, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson パートナー

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Joseph C Santiesteban パートナー, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

シアトル

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban パートナー

シアトル

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises clients regarding regulatory investigations, class actions, and contract disputes that frequently flow from privacy and cybersecurity incidents.

His goal is to help clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly adept at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on communications strategies that build trust and engagement.

Joe is committed to using these experiences to finding creative and engaging strategies to help companies proactively prepare for an incident and mitigate cybersecurity legal risk. This includes helping to build and improve incident response programs through incident response plans, simulated incidents, threat workshops, and training. It also includes assisting clients to practically evaluate legal risk of security decisions in a variety of transactions and across the product lifecycle. He is driven by a desire to evolve what it means to be a cybersecurity lawyer in the face of rapidly evolving technologies and laws. As a leader, he strives to create spaces where people are valued and solve problems creatively and collaboratively.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit Committee and Pro Bono Committee. A leader and advocate for diversity and inclusion initiatives, Joseph is the co-head of the Latinx affinity group at Orrick and served as a fellow for the Leadership Counsel on Legal Diversity. He is also a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Caroline Simons パートナー, Cyber, Privacy & Data Innovation, 知的財産

Boston; New York

See my bio

D:+1 617 880 1885
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
知的財産
Trade Secrets Litigation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Caroline Simons パートナー

Boston; New York

Caroline represents tech and consumer-facing clients -- from early-stage startups to some of the most recognizable online companies -- in litigation to protect their IP, brand, and reputation. Caroline's expertise includes the fast-evolving areas of Section 230 of the Communications Decency Act and online safety, cybersecurity & data privacy litigation, and IP litigation, including trademark/trade dress infringement and trade secret misappropriation. She is lead counsel in dozens of cases for one of the world's largest tech companies on claims challenging its content moderation and product design. Caroline also has advised clients in cyber incident response, including crisis management, government and internal investigations, and enforcement. Her experience gives her breadth of perspective and allows her to work with her clients to make swift and pragmatic decisions to effectively manage their reputational, legal, and financial risks. Clients appreciate Caroline's ability to engage, listen to, and connect with witnesses, company stakeholders, and factfinders -- both inside and outside the courtroom -- to achieve meaningful results.

Heather Egan パートナー, Cyber, Privacy & Data Innovation, Global Compliance & Regulatory

Boston

See my bio

D:+1 617 880 1830
E: [email protected]

Practice:

Technology & Innovation Sector
Finance Sector
Energy & Infrastructure Sector
Cyber, Privacy & Data Innovation
Global Compliance & Regulatory
政府による調査および強制措置
Technology & Innovation
Fintech
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Heather Egan パートナー

Boston

Heather partners with clients to reduce the risk of privacy and security incidents. In the event of an incident, she helps companies respond, successfully guiding them through investigation, remediation, notification and any ensuing government inquiries. She provides comprehensive crisis management support and companies rely on her to manage their response to catastrophes, investigations and government probes involving conduct by employees, contractors and third parties.

To help clients navigate complicated global regulatory compliance challenges, she leads comprehensive cybersecurity and privacy assessments worldwide, vets risks in corporate transactions, conducts internal investigations stemming from data incidents, and drafts and negotiates contracts concerning data-related vendors and arrangements. She regularly counsels businesses on how to mitigate risks associated with the collection, use, retention, disclosure, transfer and disposal of personal data. Outside of the U.S., she manages teams of talented counsel around the world to deliver seamless advice for clients that operate across many jurisdictional lines, developing comprehensive privacy and cybersecurity programs that address competing regulatory regimes.

Aravind Swaminathan パートナー, Cyber, Privacy & Data Innovation, Class Action Defense

シアトル; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
政府による調査および強制措置
審理
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan パートナー

シアトル; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.

Shannon Yavorsky パートナー, Cyber, Privacy & Data Innovation, Technology Transactions

サンフランシスコ; ロンドン

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
政府による調査および強制措置
Environmental, Social & Corporate Governance (ESG)
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky パートナー

サンフランシスコ; ロンドン

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU Artificial Intelligence Act
EU e-Privacy Directive
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)

Shannon also helps clients undertake comprehensive privacy, cybersecurity and artificial intelligence risk assessments, evaluates privacy, security and artificial intelligence risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and artificial intelligence compliance programs.