US Publishes Draft Rules for Cyber Incident Reporting for Critical Infrastructure Companies
US Cybersecurity Regulation Unveiled: Navigating Mandatory Incident Reporting
On March 27, 2024, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued a Notice of Proposed Rule Making detailing requirements for compliance with the Cyber Incident Reporting for Critical Infrastructure Act. The draft rule would subject critical infrastructure companies to some of the most aggressive breach notification timelines in the world. Covered companies would now report to CISA significant cyberattacks within 72 hours of discovery and ransom payments within 24 hours of discovery. More broadly, the 447-page notice adds a layer of complexity to the web of U.S. cybersecurity regulation and reporting obligations and necessitates covered companies' re-evaluation of their existing cybersecurity practices and policies.
The Core Tenets
The core tenets of the proposed rule are as follows:
- Covered Entities: The rule applies to critical infrastructure entities, as captured in Presidential Policy Directive 21. These are entities that either: (i) operate within the critical infrastructure sector and are not small businesses; or (ii) meet the sector-based criteria, regardless of the size of the business (including entities that operate in financial and information technology services).
- Reportable Incidents: The rules define "substantial" cybersecurity incidents broadly to include: (i) substantial losses of confidentiality; (ii) serious impacts on system safety; (iii) disruption of an entity's ability to engage in business operations; or (iv) a compromise of a service/hosting/provider or supply chain that leads to the unauthorized access to an information system or any non-public information. The proposed rule does not require reporting of an authorized activity resulting in a cyber incident, such as a misconfiguration of a server that leads to insignificant downtime, or a minor disruption, such as where anti-virus software has prevented an incident from occurring. The overall approach differs from the SEC's cyber reporting rules and guidance, which focus on reporting of material incidents.
- Timeline for Reporting Cyber Incidents: A standout feature of the proposed rule is the requirement for covered entities to report cybersecurity incidents "as soon as reasonably practical" and within 72 hours, once they reasonably believe a breach has occurred. This timeline brings the proposed rule in line with similarly aggressive timelines in the GDPR and the NYDFS Cybersecurity Regulation.
- Timeline for Reporting Ransomware Payments: The timeline for reporting ransomware payments is even more aggressive: within 24 hours of discovery. This applies even where the incident is also classed as a cyber incident, or where a third party makes the payment on behalf of the entity. This provision is aimed at furnishing CISA with timely intelligence to counter ransomware threats and potentially aid other entities that may be grappling with similar attacks.
- Incident Reports: Reports to CISA must include: (i) technical details about the incident; (ii) affected data categories; (iii) an assessment on the incident's impact; and (iv) any known details about the attacker. Reports will help CISA to discern patterns, disseminate threat intelligence, and contribute to fortifying the nation's cybersecurity stance.
- Confidentiality: Acknowledging the sensitive nature of cybersecurity incident information, the rule incorporates measures to safeguard the confidentiality of reporting entities. This aspect seeks to incentivize organizations to report incidents without fear of reputational harm or divulgence of vulnerabilities.
- Penalties: Although enforcement mechanics of the proposed rule remain to be fleshed out, CISA intends to implement a stringent regime where entities that fail to meet the reporting timelines will likely face significant fines and other punitive measures. This approach aims not only to encourage compliance but to also underscore the seriousness with which the agency regards cyber threats.
Key Insights and Practical Ramifications
CISA's proposed rulemaking transcends mere regulatory updates; it serves as a clarion call for critical infrastructure entities to reassess their cybersecurity strategies. Here are the key insights and practical implications companies need to be thinking about:
- Practice and Preparation: To meet the 72-hour reporting mandate, it is key that companies solidify their detection and response capabilities in advance of an incident. This could require investments in cybersecurity infrastructure, personnel training, and the establishment or refinement of clear incident response protocols.
- Ransomware Strategy: The 24-hour timeline for reporting ransomware payments requires organizations to rethink their ransomware attack response strategies—including thinking twice before making a payment (and concurrently preparing to report if they do make a payment).
- Confidentiality versus Transparency: While the rule aims to shield the confidentiality of reporting entities, organizations must strike a balance with their transparency obligations to stakeholders. Crafting a communication strategy that aligns with regulatory, customer, and shareholder expectations is a key imperative for legal and compliance teams.
- Alignment with Other Requirements: Many affected companies will likely be subject to other reporting regimes, including state breach notification mandates and federal breach notification requirements such as HIPAA, and the SEC's cyber disclosure rules. These regimes vary in their scope, timelines, and other nuances. Legal and compliance teams must take a holistic view to ensure that their organizations comply with all applicable obligations.
Conclusion
The proposed rule is in a period of public comment until June 3, 2024, following which there will likely be a period of revisions before the final rule comes into effect. There will also likely be a grace period, allowing organizations time to adjust their policies and procedures. Covered entities should stay aware of developments and consider taking steps to prepare so that they are ready to act swiftly. CISA expects to publish the Final Rule by October 4, 2025.
Clifford Chance can help entities navigate the complexities of the proposed rule, from regulatory compliance to guidance on how to fortify defences against the ever-evolving cyber threat landscape.