As part of a larger spending bill signed by President Biden on March 15, 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act (CIRA) to increase funding for the Federal Agency for Cybersecurity and Critical Infrastructure (CISA). CIRA requires companies considered to be part of a “critical infrastructure” sector to notify CISA within 72 hours of a significant cyber incident and, in the case of ransomware, within 24 hours of a payment.
Although Congress has struggled for years to enact comprehensive data privacy and security legislation, CIRA is an important step toward increased federal government oversight of data security incidents. Historically, reporting was only required for companies in certain federally regulated industries, such as healthcare or banking. It is important to note that the bill itself does not identify critical infrastructure sectors that will be considered “covered entities” under the law and therefore this definition will form part of the proposed regulations. by CISA. CISA can look to the 16 industries considered “vital” to the physical and economic security and public health or safety of the United States:
Whether CISA will eventually include all of these 16 categories remains to be seen, some of which are broadly defined and would trap a significant number of companies that may not consider themselves critical infrastructure. For example, “commercial facilities” would include “a diverse range of sites which attract large crowds of people for shopping, business, entertainment or lodging”, including shopping malls, sports arenas, hotels, office buildings and condos.
Another unknown is the types of cyber incidents that will be considered reportable events. The bill clarifies that reporting will only be required of a “substantial cyber incident” and defines a “cyber incident” as “an event that actually or imminently compromises, without lawful authority, the integrity, confidentiality or availability of information on an information system, or actually or imminently compromises, without lawful authorization, an information system. The law provides some examples, such as a significant incident with a substantial loss or a serious impact on security and resilience of operating systems, such as a distributed denial-of-service (DDOS) attack, ransomware attack, or exploitation of a zero-day vulnerability.The law also encourages voluntary reporting of other cyber incidents that should not be not specifically be reported.
CISA has time to decide how to define what will constitute a reportable event. CIRA is giving CISA two years to publish the proposed rules and an additional 18 months to publish the final rules. However, in light of growing warnings from the White House that Russia will continue to use cyberattacks as part of its war chest against Ukraine and countries supporting Ukraine, rulemaking may take place. sooner than later.
Take away food
Companies included in the 16 infrastructure industries as defined by the CISA should consider preparing now pending the development of the proposed rules.
Assess data security practices. Given the risk of imminent attack by Russian interests and the increase in cyberattacks that have occurred over the past two years for profit, companies should consider conducting a security risk assessment to assess the sophistication of their information security practices, including practices aimed at preventing and detecting a cyber incident.
Review or audit service providers. Following the Russian attack on SolarWinds Orion, which led to 18,000 organizations downloading a security software update that potentially allowed Russian backdoor access to their systems, it is more important than ever to scrutinize vendors whose data security could impact yours. Security questionnaires, a zero-trust program, and the invocation of contractual audit rights (if applicable) may be advised.
Revise the incident response plan. Organizations that have developed a robust incident response plan that covers the business and legal issues associated with a security incident will be in a better position to respond quickly and ensure short notice times are met. Incident response plans should identify members of the internal incident response team, create a process for reporting a security incident, include a communication plan to notify and update key stakeholders, including regulators, and include contact details for data security providers.
Train in the war game. Tabletop exercises are essential for testing an incident response plan and identifying and filling gaps. Senior managers and members of the incident response team can walk through a cyberattack scenario in a controlled environment to ensure they are prepared when it happens.
©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 88