Cyber Incident Reporting Act: What it means for your organization

New law mandates critical infrastructure organizations report cyber attacks within 72 hours

Add bookmark
Shannon Flynn
Shannon Flynn
03/28/2022

Cyber Incident Reporting Act

President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act into law on 15 March 2022. The new law mandates critical infrastructure owners and operators to report "substantial" cyber incidents to the US government.

The new law is part of a broader effort by the government to shore up US cyber security and protect critical infrastructure from cyber-attacks.

Businesses in the US should be aware of the law, their potential reporting obligations and how the new legislation may impact the country’s cybersecurity landscape.

Mandated reporting for critical infrastructure operators

The new law, part of the Strengthening American Cybersecurity Act, was attached to the spending deal that will fund the federal government until September 2022.

It requires that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach — or 24 hours if the operator makes a ransomware payment in response to hacker demands.

Under the law, “critical infrastructure sectors” include financial services, food and agriculture, healthcare and public health, energy and communications. Businesses in these sectors are considered critical infrastructure operators and subject to the Act’s incident reporting mandate.

A full list of critical sectors is available on the CISA’s website.

Become a Cyber Security Hub member and gain exclusive access to our upcoming digital events, industry reports and expert webinars

In addition to mandating incident reporting, the Act also grants the CISA powers to subpoena businesses that do not report security incidents or ransomware payments.

The new law is not universally popular among government organizations responsible for national cybersecurity.

Both the Department of Justice and Federal Bureau of Investigation (FBI) criticized the Act for not requiring reports to go jointly to the CISA and the Bureau. Instead, businesses mandated to report under the law will only be required to report to the CISA.

Reception of the law by the cybersecurity community appears to have been more positive. The head of cybersecurity strategy at VMware, Tom Kellerman, described the Act as a “game-changer” in an article with DarkReading, saying that the law eliminated “plausible deniability” that allowed businesses to underinvest in cybersecurity.

Many businesses may now need to hire a CISO and allocate resources to cybersecurity programs, according to Kellerman.

The law is part of a larger effort by the federal government to improve national cybe rsecurity. Along with other initiatives, like the US Cyberspace Solarium Commission and its Solarium Report, the Act is designed to help the government and US businesses respond to a changing cyber threat landscape.

How businesses should respond

Organizations in critical infrastructure sectors should prepare to meet new incident reporting requirements. Failure to report breaches or ransomware payments in the future could have serious consequences.

These organizations may also prioritize cyber security investments to minimize the risk of a breach or successful ransomware attack.

Reporting incidents does not have to begin right away. Federal regulators will spend the next 24 months drafting rules for the final implementation of the reporting requirements.

As a result, critical infrastructure operators will receive significant notice on implementation before they will be required to report incidents and payments.

Because businesses do not currently have specific guidance on how to report incidents — and the consequences for failing to report a breach — it may not be possible to fully prepare for the Act’s implementation right now.

However, businesses can begin internal discussions of the new law and its cyber security implementations with available information.

How non-critical infrastructure operators should respond

Businesses that are not mandated to report may still be impacted by the new requirement or future legislation.

The Cyber Incident Reporting Act signifies that the Biden administration is beginning to take cybersecurity more seriously. In the future, lawmakers could consider the creation of bills that implement stricter measures, like national incident reporting mandates.

Rising global tensions have also potentially encouraged lawmakers to take firmer action on national cyber security. Before being reintroduced to Congress, the cyber incident reporting bill was initially stripped from a defense spending bill in December 2021.

Join Cyber Security Hub's webinars to learn how to protect your business and bolster your cyber defenses 

The ongoing Russian invasion of Ukraine has increased the potential of a cyber-attack against US businesses and the White House recently warned “evolving intelligence” suggested that an attack could be on the horizon. Cyber security experts and cyber insurance companies have warned about the possibility of “spillover” cyberattacks on US businesses due to the conflict.

As the war in Ukraine continues, the Biden administration may pass additional reporting legislation aimed at protecting critical American infrastructure from cyber-attacks.

How Biden’s Cyber Incident Reporting Act may impact US cyber security

Over the next 24 months, regulators will determine how to implement the new law on mandated incident reporting for critical infrastructure operators.

Businesses that fall under this designation will need to report cyber security incidents and ransomware payments to the CISA or face the possibility of subpoena and other consequences.

Both organizations in critical and non-critical sectors should begin preparing for implementation of this new regulation now.


RECOMMENDED