Prompt, consistent and mandatory reporting on cyber breaches is a great step forward. But additional legislation may be required to make sure the ultimate goals can be achieved.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, nestled within the Consolidated Appropriations Act of 2022, was signed into law by President Biden on March 15. It’s a step forward from today’s ad hoc, industry-specific guidance for voluntary disclosures by companies that have experienced cyber attacks.
Cyber attackers often have an advantage: Because responders don’t share all the necessary information, they can’t act quickly and respond to attacks in concert. The reporting act aims to remove a piece of that advantage by requiring companies that are attacked to report significant cyber incidents and offering protections incentivizing them to report.
What to report
Who needs to report
Substantial cyber incidents that are likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States, as determined by the Secretary of the Department of Homeland Security.
Entities in 16 critical infrastructures defined in Presidential Policy Directive 21, including
financial services, information technology, energy, healthcare and public health, food and agriculture, critical manufacturing, chemicals, communications, defense industrial base, emergency services, etc. (“covered entity”).
Cybersecurity and Infrastructure Security Agency (CISA)
Not later than 72 hours after the affected entity reasonably believes that the covered cyber incident has occurred.
Substantial new or different information or a ransom payment after submitting a covered cyber incident report should be reported until the cyber incident at issue has concluded and has been fully mitigated and resolved.
Ransom payment, whether or not the cyber incident is a covered incident defined above.
Covered entity that made the payment
Not later than 24 hours after a payment is made.
An important way to view this law. Virtually every American business could be affected. You should pay attention to the rulemaking process and update your plans to account for the new requirements. Consider the new reporting requirement alongside the effective ways you get government assistance on cyber incidents today. Make no mistake: The requirement to report within 72 hours of a significant cyber incident should not stop you from working with your partners in government to get the help you need more quickly. Experience has shown that much can be done within 24 hours of discovery of an incident. Companies should form and maintain robust relationships with law enforcement contacts in the FBI and US Secret Service (USSS) who can help you in real time to stop an attack from doing more damage and bringing the attackers to justice.
Across a number of regulatory fronts, it’s becoming increasingly important for companies to enhance their breach reporting capabilities. Public companies, for example, will likely face enhanced cyber incident reporting requirements, as defined in the Securities and Exchange Commission (SEC) proposal announced on March 9. The proposal would require, within four business days after a public company has determined that it has experienced a material cyber incident, that it disclose the incident in new item 1.05 of Form 8-K. According to the proposal, materiality, not the occurrence of the cyber incident, triggers the required disclosure of information such as the nature and scope of the incident; any data stolen, altered, accessed or used for unauthorized purpose; the effect of the incident on the company’s operations; and remediation efforts.
The new cyber incident reporting law acts on the long-held view that information sharing is vital to national security and private sector cyber-readiness.
It helps connect the dots for more effective collective incident response. Truly understanding and planning the response to a major cyber attack is like putting together puzzle pieces — 90% of which are in the hands of private companies. By requiring cyber notification after an incident and providing liability protection to victims, the act encourages companies and governments to put all their puzzle pieces on the table for an unprecedented view into the threat at hand. This can have potentially tremendous value in terms of better-informed risk calculations by the private sector and more effective deterrence actions by the government.
Today, breach reporting is generally neither consistent nor robust. Companies need to know that their disclosures are confidential, and to seek assurance that they won’t face liability or be subject to enforcement action from regulators.
The act extends liability protection for covered entities that submit a report; privacy and civil liberties protections to limit the dissemination of any personal or identifying information collected in conjunction with reporting requirements; an exemption under the Freedom of Information Act for reports and provisions to ensure that reports to the CISA don’t undermine trade secret and attorney-client privilege protections. It also says that no report or document submitted to comply with this law may be received in evidence, subject to discovery or otherwise used in any trial, hearing or other proceeding.
It helps amass knowledge for better cyber practices. The act requires the CISA to organize, aggregate and anonymize the information from the reports into a body of actionable information for the private sector, including cyber research organizations. This is how transparency that’s prompt and consistent yields even more benefits: enhanced situational awareness, better cyber practices and stronger collective (private-public) cyber defense. Businesses, investors, customers, employees and society at large will better understand the cyber risks they face and make better decisions.
Consider the following uses of the information set forth in the act:
The act could trigger confusion, raising questions about how this reporting obligation relates to the process for getting government assistance in responding to an attack. Grounding additional legislation in existing effective information-sharing and public-private partnerships could reduce this confusion.
Expand the protections for reporting to other agencies, not just the CISA. The act provides important privilege and liability protections for victims who report cyber incidents to the CISA, but those protections do not extend to information shared with federal law enforcement surrounding the event. It could have encouraged coordination and faster whole-of-government response if the act extended the same protections for information shared with other parts of government, including the Department of Energy, Treasury, USSS and the FBI..
Currently, a company that has been breached approaches the agencies it has the best relationships with, often the FBI and CISA — the two agencies that generally lead incident response efforts for the US government. Ideally, companies that report an incident, either voluntarily or as required under this act, should be assured that the information will immediately go to their local FBI/USSS cyber squad — often only minutes away — which can assist the victim’s response and recovery efforts with insights derived from investigators’ ongoing cases and intelligence collection.
Allow use of reported data for real-time law enforcement and legal processes. Future legislation should consider the use of reported data for the legal process and grant unfettered and unfiltered access to law enforcement in real time to help minimize unintended consequences.
Within the first few hours or days after discovering a breach, these mandatory reports can be crucial to helping law enforcement go after cybercriminals to disrupt their activity, stop other incidents from occurring and ultimately bring the bad guys to justice from wherever they’ve been hiding behind their keyboards.
The act also doesn’t allow agencies like the FBI to use the reported information submitted to the CISA against cybercriminals in a court. If a critical infrastructure client is the victim of a ransomware attack and pays a ransom, the information the victim’s required to provide about the cryptocurrency wallet where it sent the payment can’t then be used directly by prosecutors to seize those funds with a court order.
Reporting should protect victims, not the cybercrime perpetrators. Such overly-broad restrictions in the use of data will ultimately hinder law enforcement’s ability to quickly and effectively help crime victims.
The act grants the CISA director broad authority to develop rules within 24 months from the date of enactment. Companies should engage in the rulemaking process so that subsequent regulations align with the intent of the law: to facilitate information sharing for better cyberdefense at the macro (national) and micro (company) levels.
You would want to stay abreast or even express important feedback on these four questions.
The act lays out the high-level criteria for covered entities in critical infrastructures.
Disruption to or compromise of such an entity could have consequences for national security, economic security or public health and safety.
The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country.
The extent to which damage, disruption or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
The act sets forth minimum thresholds.
A cyber incident that leads to substantial loss of confidentiality, integrity or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.
A disruption of business or industrial operations, including due to a denial of service attack, ransomware attack or exploitation of a zero-day vulnerability, against an information system or network or an operational technology system or process.
Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider, or other third party data hosting provider or by a supply chain compromise.
It also adds criteria for consideration.
The sophistication or novelty of the tactics used to perpetrate such a cyber incident, as well as the type, volume, and sensitivity of the data at issue.
The number of individuals directly or indirectly affected or potentially affected by such a cyber incident.
Potential impact on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems and programmable logic controllers.
Information, to the extent applicable and available, such as the following set forth in the act.
A description of the function of the affected information systems, networks or devices affected.
An estimated date of the incident.
A description of the unauthorized access.
The impact to the operations.
A description of the vulnerabilities exploited and the security defenses that were in place, as well as the tactics, techniques and procedures used in the incident.
Any identifying or contact information related to each actor believed to be responsible.
The categories of information that were accessed or acquired by an unauthorized person.
In a ransomware payment report, the following information are to be included:
The ransom payment demand, including the type of virtual currency or other commodity requested.
Ransom payment instructions, including the address of the recipient.
The amount of the ransom payment.
Rulemaking will also address the manner and form of reports in greater detail.
Where the CISA has an agreement in place that satisfies the requirements of the act, the requirements shall not apply to a covered entity required by law, regulation or contract to report substantially similar information to another federal agency within a substantially similar timeframe.
The exemption shall take effect with respect to a covered entity once an agency agreement and sharing mechanism is in place between the agency and the respective federal agency.
This is an important issue to engage in. Companies face varied scope and time requirements for cyber incident reporting in different industries or under different government supervision. For example, for the March 9 SEC proposal on enhanced cyber disclosures, public companies should consider commenting on any overlapping or conflicting requirements within the 60-day comment period.
Cyber, Risk and Regulatory Marketing Lead Partner, PwC US
Cyber & Privacy Innovation Institute Leader, PwC US
Cybersecurity, Privacy & Forensics Integrated Solutions Leader, PwC US